95dbd294f511335bb0b368c487abe48e8d72aa4b165cba94d32cef71a5e46916

Analysis

max time kernel
1451s
max time network
1453s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 19:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

$PLUGINSDIR/InstallOptions.dll
Size

14KB
MD5

046074d285897c008499f7f3ad5be114
SHA1

159040d616a056ee3498ec86debab58ef5036a55
SHA256

254c5ccbce59ad882f7f51d0bf760cabde8c88c5af84e13cc8ad77ba0361055c
SHA512

ab7436fda44e340dd5909ddec809c6b569a90d888529ef9320375e1aae7af85afcab8c1c1618551d3fe8d6ae727f7dca97aa8781b5555da759d501d2ccd749e1
SSDEEP

192:+Gs+dH4+oQOTgDbzuNfrigyULWsXXZF/01JJijqK72dwF7dBEnbok:+GvdH4qMebzPY2Vijq+BEnbo

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1744	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe

Executes dropped EXE 4 IoCs

pid	Process
1652	Gas.exe
3692	IconDance.exe
1376	LoveYou.exe
1164	HMBlocker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000002ac04-1060.dat	upx
behavioral2/memory/1164-1106-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1164-1120-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\Downloads\\HMBlocker.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
77	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HMBlocker.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
532	828	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IconDance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HMBlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1336	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "201"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1735401866-3802634615-1355934272-1000\{FD06CD7C-D0C5-4CCC-8AB0-C2951899D6D4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	msedge.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 493116.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 896977.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 740903.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 812785.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 100244.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HMBlocker.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
384	msedge.exe
384	msedge.exe
4972	msedge.exe
4972	msedge.exe
4604	identity_helper.exe
4604	identity_helper.exe
2980	msedge.exe
2980	msedge.exe
464	msedge.exe
464	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3656	msedge.exe
3656	msedge.exe
1164	msedge.exe
1164	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3692	IconDance.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeShutdownPrivilege	1392	shutdown.exe
Token: SeRemoteShutdownPrivilege	1392	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	PickerHost.exe
3280	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 828	4596	rundll32.exe	80
PID 4596 wrote to memory of 828	4596	rundll32.exe	80
PID 4596 wrote to memory of 828	4596	rundll32.exe	80
PID 384 wrote to memory of 4544	384	msedge.exe	102
PID 384 wrote to memory of 4544	384	msedge.exe	102
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 3984	384	msedge.exe	103
PID 384 wrote to memory of 1400	384	msedge.exe	104
PID 384 wrote to memory of 1400	384	msedge.exe	104
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105
PID 384 wrote to memory of 712	384	msedge.exe	105

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 544
    3⤵
    - Program crash
    PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 828 -ip 828
1⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe56fc3cb8,0x7ffe56fc3cc8,0x7ffe56fc3cd8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7388 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6844 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,7765271915773142143,17302558949218673397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1484

C:\Users\Admin\Downloads\Gas.exe
"C:\Users\Admin\Downloads\Gas.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652

C:\Users\Admin\Downloads\IconDance.exe
"C:\Users\Admin\Downloads\IconDance.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "
1⤵
PID:1600
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:4812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2660
- C:\Windows\system32\net.exe
  net stop "SDRSVC"
  2⤵
  PID:1552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC"
    3⤵
    PID:1376
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  PID:2516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:3756
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:1580
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:2988
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1744
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  PID:4224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
  2⤵
  PID:1220
- C:\Windows\system32\find.exe
  find /I "L0Lz"
  2⤵
  PID:3512
- C:\Windows\system32\xcopy.exe
  XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
  2⤵
  - Drops startup file
  PID:2140
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1936
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1588
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1664
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:952
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4724
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1300
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3692
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3464
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:328
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4108
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2992
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4868
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1856
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4996
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:5016
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2520
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3116
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1936
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2988
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3628
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4820
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1388
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4224
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2352
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3516
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4064
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:780
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2140
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2964
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2104
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1748
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:328
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4460
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2876
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1576
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1376
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2204
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1592
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2756
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2092
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1484
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2476
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2864
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4800
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3404
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3808
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3264
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1468
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:656
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4728
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3332
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3968
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:952
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3516
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1300
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3512
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1840
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1704
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4604
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3180
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3432
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2936
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3380
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:868
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2736
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2992
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3004
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:2204
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:200
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:1096
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:3932
- C:\Windows\system32\xcopy.exe
  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Guard.bat" "
1⤵
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Guard.bat" "
1⤵
PID:4680

C:\Users\Admin\Downloads\LoveYou.exe
"C:\Users\Admin\Downloads\LoveYou.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376

C:\Users\Admin\Downloads\HMBlocker.exe
"C:\Users\Admin\Downloads\HMBlocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 6 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1040

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3018dc7e49026aed272afc0d93591b46

SHA1
3c1de8226a02869d256bcdff1d4d8757322c925f

SHA256
771f1c66e7e1c5128cc869c47c56d72c42337f98961942c88a6d73e37d1fea16

SHA512
a01910d6a5e4e665f2a857609bd56ffc8e5aaf65dbc027f4e6adc2ab4dc6d3ac1ec1e8c3d3f50a06d153db41ba57a65e4ef9284ede4fc164e0e1a589023dc1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
62e82159940adff05b06b588d530e98c

SHA1
1e0a238ea4e5154b772e82c7eb55fa97cac4b072

SHA256
e494272ca9e751feae0bba5320d2b0e056b66f3d8daf6d221b030083ed2200e4

SHA512
4112ee8e461c9076b4f327673a4c22a3d764fe7e19dcd3b8a2f950c395f9c03fa8fd98257126ead3c4154ea5a1711c7552fe7e15b2ac3e296814749645781ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c561fc8e258bf77d6198b92b011abf65

SHA1
08e1f61db5055aa73ef4e40e736a9f2a438109b3

SHA256
67b332f626986a6bcc52a1f7d93e4b6c3cc9331fabfaf071d4d5f72e96c466c4

SHA512
9c24ad5a8988d31a2a4dc217c6ed51d7b0c745e43f9b3cceadcd0d4ec1ee960548c7959464b829146bbc0a5cb076ad68a56acfa8634bedf40294858192ce03b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2d2bd6918352cf697111fb74c5b9bba9

SHA1
2050a64b0c9c5bf478ef65d9a641eea57e3edaa4

SHA256
7b920aef7fe250eb311cb41b6f2c083a2d17faf3d603d29de3b64b165a841d28

SHA512
32a2849c2b99682dd89297b4b0edf67b62dc77b5c791f7068cc5e967b747d759b9f0a68326f2d7500140e3852bf7639b03e48d6c2c16812069fa06065d5d7c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f7f436781b8ec99669bd5bacfdd38ee8

SHA1
cac794b8d800521298e580301ae274c4bdf0ad5c

SHA256
6c1e28af5e7c9936964a23fff58f162060cc487a60958c08848699801fafcf94

SHA512
07c8a46490d4e5b3f49fea58bad3416dc4cacdfd6630a8704f7f065ea3b6b4720ebc210880da8dd371b85c91f9886854d4042a913d9b1618568ba4e77606a153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66e50629fbe1932d439355e00b50fb81

SHA1
bcc3c197ff7c50b6ecd8bce1b4224d603d4ffba6

SHA256
b787bd349a3229ae84a1e7df46f772eb636206105735508a794e9c2b906e1483

SHA512
80219ba27517b78bf0fa36690c4e6fb1cc439b6ae8605a8acef07c3c2f702d4e9edece10c3b5af3f8054c9ef4ac5ff669fc2ce743e1f84eea3b2b8104bfef80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
140cd2d3e325273f71d7f45d31cb715a

SHA1
04d67ba5bade397594610889cce4bcf2ebd02124

SHA256
2d368f204bb266cc4fc2d442e934fa86e4f2aa24a58ddea2fde3ba92b71e5aa7

SHA512
dae63fd2b7bed79ed32dfca15344e6f7eb3a21cab3080461b1a7681d0ad4bc7753387c5c44f259e9ba98011565458eeb87b1895e23ec2a830389d70231ef6d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2154da34a640f5fd4e25c8c0a688422b

SHA1
20d890e42d219149c0f87e64e203d253e41ba694

SHA256
a0b3157492a8f574f21d338d7f3d45853466852e850e3278d030a3a275a26e56

SHA512
42895704726f60041801492f81ca55d7b34a8269284026eba4411f7e2ea1a134414d5a3df182f577349fa81152889d7c71aee50a108b3c4edaafd54fef46ffb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8c6341c53fac33092b26352d8c42028

SHA1
51c7ac99c9e8969a18f9c24aa47584f405ee3a5d

SHA256
8f672a0ad1c8f29c816870d3210bd1512cf0e2f1b437313e819a069b9beff60b

SHA512
9ee2a4466f716cd14dbf81c795fd22b8a1e7c07c7d2de46e750f227a7e124aed8282920c5bce53e0ca781a8231a8a4c68d16aa41ef198d5671cc85760d716f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6893730983b1669332312d579acbbee5

SHA1
1e0cb28543fe8ffbd46f408ba6df80872bca9dff

SHA256
adf0412478dd487d92e978bac9e05dd3bd41890028a1673418637cf8af89c34e

SHA512
9b9cf649815035111844c1f02ff37bc41cfcb0a741e38df57660fdf5d7b611da8e67a9403d8bf6c6aff34cc29b3ccb1e8646867f66a17d3d22222dacd6afc771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37830cd9191b377c967bb106c66c1e95

SHA1
5d276d8335454de801913de68c6e2344ef535796

SHA256
ed36e270354444710334fd1aa5be88fbb0c223222bea297233745ab68eb0e612

SHA512
98b4fb3198b973f1228480e6a0038f156e49e2ed81b1309484de71ba6419224bdb6e117549b6dba4bb115a0a488d2c7cb7bfb40c964765b1a61ce737a568cb68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d99dd309e75cb286612eb46a426558f

SHA1
29fe8fffa1046440f3f930ad61370bf70f7180e2

SHA256
932d05c57e675e3b4653d621e47e040659e8d8c96cc0606733d45c47b1d9818d

SHA512
d1e79880b923cdb9f119453836fee502d49e519cb22eb8b80b44611c2310b414e4c529675dbc176acf7328058e5bb0fe6cb4ecf2be9f31b9f48704fdcc52f69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c870036eded1f5777e72e564ea06dd8b

SHA1
586cd29b2592ba11fe86b44892e1a37d65ff20fa

SHA256
8a77b1a8c4ede8838475af8bd48abd867d0ce0c28b2b0efe526ff7bb922cc5b4

SHA512
2f077d5bf99d86f9e86c8c4b257db363bb050820e68f5273440971dab6a294a3d403d52eff03b4ca9b0f12a5aea874f90faec4ffb2b89c6f1cf16d6256f2678b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69128ee14e4f96bb5750d6e523c21e84

SHA1
9cf57a8f681591a39219c38fa2120434a93f0d76

SHA256
b7b09efc3d486849ba3e210d964c098745d29c9c570966cdc19faf8bbbde7ccb

SHA512
b0cbe82d62654e0a82862950d365aaf59674ebbff51c6d8e4d5fbff1b63995851223a0a817a42d2970a93e094c4aee14ab1ec56ed300834bd9189d941c96559a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de17f526ed201dd5e54b80d1a182457a

SHA1
4962bb70ac7fbaca0f594ffc8d8b95a3b5e84e44

SHA256
778da97b84c7af70b56cd42090dceb0338df977aabb6a95ae6486cf5cb8771ec

SHA512
6432ca4873c51be9b905eb641d6ad6bc9fd3072d9b719b5ef348b02005e73e076e2216893524d1fcccafbd8cfb9b02760d790d47e50b63624f66a5aadff8c03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
418a752e470ded83a1db7bffc3d369fe

SHA1
d40104cc89650526cf3361c06da14897568720d7

SHA256
981dc2f5c37ba58ae891c40f02b93203f4e565eba6bdf4d5d9a51572395ecc54

SHA512
8c741de37c69f99345792b01518d059cb0c52c77f1581d209598c7e1dbbef5aa9856298bd62e0882baf745c528bf77a0ccd468c95ea07467b6d0aec4feeeaaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e992b46efc359ab3b15aab5937a495ad

SHA1
8e7488d9968b76c1612271b74e5393c725bf7a82

SHA256
a432a8553d571161a94bb135226147fda672b24ebbdf4532299b991cc7f0f576

SHA512
090fd6d65c670fa9f6b59c3e1c642051a802731d79a50fd3e0a037ea89f86f4074b974da817b6690602b1f9b051454cf822acd3b861c1aaa512cf8374dff83aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b4529d5b03aecc9d05926227c37e387

SHA1
b80361daa181f6fbb4a4f920dd9ac39a04099c8f

SHA256
e1e43674bc1052bf2b38f3575c5b9d35116f140d5bfacf748f0185d29d671f3d

SHA512
c8b8591583c68ac0ba28868fc391b14b8a2affc27086a7fa7ac716deb94b544446255c4e25bfa9bfda6412ab736255f56f1b6c1d5a718af4a3ec7c47e6684597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
43f6d95d268aa754832d7b7d3ab7278a

SHA1
6a19b6269bb09f71e9ef4fbd46dcb82dcb1a6ea5

SHA256
82c9f15bea009530f8058c58617f02f334c15b5241387b186a7693e7a7d6c0ff

SHA512
8c5efa43276d9de0c9d396a8b9932503f999893209f874d3d3f88340f693bb7dbd30eebe6849178378b97a6eb5807582ae7c871fd1d9c7ec157f3fad666f218e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e75a84c7081bcef4c0b01551eecd4c8e

SHA1
3ecc2cbf39e6d93acf19cfec7e42581fba36003f

SHA256
ef5881e578e05f3469000930d0f19442fe05507ba11b939c26d144d3e7cc454f

SHA512
c3c69b20fec74c875b94eccadae8b86c72fa8c8c7fa08b969d80e7d9766be26a4fc319f3d5384bbc9e6757f7226b6f855996136dfa7e6a600d824bfa56a75101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe68faa9.TMP

Filesize
1KB

MD5
40ed274241c7c5d7fa2367eb9ef57862

SHA1
c58339e9e07840fee3a68f16ba89893a070a8845

SHA256
43707685f057dd2e39a3a843e241a55a305e5e96ef137f0faa41808a0929a5bb

SHA512
1ec0beba086388862e54aaf2d15f3e92100caf11285d692ea0f5370cf61af6d2746b47f19603d47e38f8be3ab430569f4193284668a3a629beb6a125e9463460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd54eb03b3038a689be3c89141296e7b

SHA1
1cd041753306fdd225dff2197d78e5e7414241b6

SHA256
1c93b289fa6dfffb875af70cd9de11aad0f26c0c5e553998e5ab82dc0e1f6dfd

SHA512
4b3fc3b46107e6f9a3fbc7335c5cf61488c5b833d59da3f377f00be7431941ad49f66a2e03919fdb66c806dc879ca834c6f726624b3e243e19748afdfa9f52e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
41aeb2a7dddebfac016ca0f1bb0a8056

SHA1
4e5238ffe3a96a146fadbbaa5846473c98dcef18

SHA256
d2aca1e69ab5a4245c643e384e569d1152d86bf3193a1cdef4de40332919a5f5

SHA512
7b032d3ef38fac5b8df61e340fc88089bac9bfdd72c72964f0d0791e4a65fe16d736676c761e56c1623941f4eb17d29b59c4501b243662e1b8c71b7328055244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
314e3213b0d46552017ac3b94e4af0b9

SHA1
22ea9c9a97eee17b09e3f09a2b9dcaab0c0a22c2

SHA256
cffb910a2e577043b8718d570a9366883e094b49e3052e265347026fe96d567d

SHA512
aa1a5ff0cbce6a863567d00e6c814daad1586770fa47ab15d9c883df2d31631b89572c823dc0c4d969a0e087dc56f8f5ffa86f44db127d3059174b33707bd7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fd608f05ebf2dee5ac6dd8b6a238ff1

SHA1
eeecf580002319595b55e664ea88bce0f8e54f99

SHA256
17f4d787f475a37db548da9b8a7cec021f400925fc5ebb28179e91dbd41e5532

SHA512
fb6e014dd4d19d0990fa907d7154c86a891491fb25fdf4eb088cc10913d8ed3f4522ba5c3cbe673024398cf38cc081ccc8ae8a12bf5a62db928bf82673707326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bddb1d5ca421ed9d39a20e84fe260439

SHA1
667cdb765b528877897decde046eb26af503cdcb

SHA256
021c9be4979e437821872b564c137e838df68e36015646807579fc1aa4f84dd7

SHA512
0752b747ce8b6b6bcca697cf1745355275d8010746a55b695032d7d6e728f0ab6e70f93fff56d7397e90972fa723cab5c6d97376a8863f3952eca577b609e6ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bfb7450da4c0517d4601c3fe14198c5f

SHA1
b4e05970d59a889bef2086e4fc2f7464f94b57fd

SHA256
76faa7429421f9169a5c2304f67fbf5ce92c231acb9367a59c4683f5c2594668

SHA512
3f6f383975b9f98ac853d5af3feab1c7458db5b040efe125c71df811d0c647d819907538581c27aac6d2cf1cffd752d638025bea682972f11636cc35037b2b94

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
262B

MD5
1b95e04dbd98deeabacd15b8cd17d161

SHA1
223280d1efaa506d6910fa8f0e954bf362b2c705

SHA256
76a32e2efb8b97a8c226bcb8bc5b113b4b6fce1077de6513405955bc6d74b169

SHA512
e2be3706491c1cdb9654d0720805dd96536c66f48bd7d8a4d781b5daeebfd22655cdb2d84ea1a1ec5c0d963b0f3982735975f032373c9083986cd1c01d379e70

Download Submit
C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 100244.crdownload

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 493116.crdownload

Filesize
301KB

MD5
7ad8c84dea7bd1e9cbb888734db28961

SHA1
58e047c7abecdd31d4e3c937b0ee89c98ab06c6a

SHA256
a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095

SHA512
d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 740903.crdownload

Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 812785.crdownload

Filesize
48KB

MD5
21943d72b0f4c2b42f242ac2d3de784c

SHA1
c887b9d92c026a69217ca550568909609eec1c39

SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 812785.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 896977.crdownload

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
memory/1164-1106-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1164-1107-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1164-1109-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1164-1108-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1164-1120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3692-685-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads