hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25/02/2025, 03:42

250225-d9rkdssjz5 8

25/02/2025, 03:37

250225-d6y53a1rv7 10

Analysis

max time kernel
150s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2025, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
36	852	msedge.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2488	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe

Executes dropped EXE 1 IoCs

pid	Process
960	PCToaster.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4216	takeown.exe
792	takeown.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	takeown.exe
File opened (read-only)	\??\V:	takeown.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
36	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PCToaster.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCToaster.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4528	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PCToaster.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
2800	msedge.exe
2800	msedge.exe
2852	identity_helper.exe
2852	identity_helper.exe
3928	msedge.exe
3928	msedge.exe
4756	msedge.exe
4756	msedge.exe
4812	msedge.exe
4812	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeTakeOwnershipPrivilege	4216	takeown.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3528	MiniSearchHost.exe
1656	javaw.exe
1656	javaw.exe
1656	javaw.exe
1656	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 248	2800	msedge.exe	78
PID 2800 wrote to memory of 248	2800	msedge.exe	78
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 1972	2800	msedge.exe	79
PID 2800 wrote to memory of 852	2800	msedge.exe	80
PID 2800 wrote to memory of 852	2800	msedge.exe	80
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81
PID 2800 wrote to memory of 1184	2800	msedge.exe	81

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2080	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e60e3cb8,0x7ff9e60e3cc8,0x7ff9e60e3cd8
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "
  2⤵
  PID:1172
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:4980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1604
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:3068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:1480
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:2160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:4772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:3880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:1508
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:1060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1068
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2488
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:4336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
    3⤵
    PID:4724
- - C:\Windows\system32\find.exe
    find /I "L0Lz"
    3⤵
    PID:4860
- - C:\Windows\system32\xcopy.exe
    XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    3⤵
    - Drops startup file
    PID:436
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:5096
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:5104
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Users\Admin\Downloads\PCToaster.exe
  "C:\Users\Admin\Downloads\PCToaster.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:960
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1656
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h C:\Users\Admin\Downloads\scr.txt
      4⤵
      Views/modifies file attributes
      PID:2080
  - - C:\Windows\SYSTEM32\diskpart.exe
      diskpart /s C:\Users\Admin\Downloads\scr.txt
      4⤵
      PID:2496
  - - C:\Windows\SYSTEM32\takeown.exe
      takeown /f V:\Boot /r
      4⤵
      Modifies file permissions
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\SYSTEM32\takeown.exe
      takeown /f V:\Recovery /r
      4⤵
      Modifies file permissions
      Enumerates connected drives
      PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,7734821522509943341,17206355633737780162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4996 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4815ecce34e90c0f6ca91c7e35be703f

SHA1
61ec0042ccee59f6bdf6b96eb9f412cc97717702

SHA256
5db366717739338c23e07ca15aea2b48924a3b3ecacb214221239333b11ae7d6

SHA512
751dfd6eea90fc4efb557611e8afc6ef1634c4e2bdd97f3c72638def09f644ebd8bf5696b9ed8379973106524d08c67188f7f64c0f941e8f95109920120dae05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53c68f0f93ab9a94804c00720a0bcd9a

SHA1
9009307d51e1fd60f9a90d77007e377c7f893434

SHA256
a38f0777d4ca9e777191cc924c22eb1847ae805ab79ff224860e8c70d7f49422

SHA512
a1d5b92fced821328a668fbfe9ad694b99c873ffa3ed28aa5bf1e8ef8054486289b5ddb26236cfa7c1ca0db993f306cdfc5878480b6a543aca1620075f77d670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8cee52fc17368b6de6ade0b171d30892

SHA1
cfeb696c6cdb31415df7c4af238741066667b2ed

SHA256
adb8116c3e86795f00f8fd505ba725ca820e175b84e7e774635d32940179a7f4

SHA512
089c077d8584d4a16127a220c1d18c16d1119a7f43682cc05b794acb4b449733b660870aeaa0c92bfac79a5c19e7e5cd125052640eb50c572e16ea23b569a1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
f6b24ad07edab42c88540a87562c81de

SHA1
dd8691937a6a089fd58b9db56b6f599022b48168

SHA256
ab8d2b9c88df9ac33fbf60ee72a5d8c84d0dbb28ebc1de08a4bae02a8af8071f

SHA512
5fa8a1df39ee12048ba5817c1962cb897a3454d69d78ad4c40e0f72fe04c4ccfca674a2d629dba8376f2862ca587163435318d4cd7b5ab5c64ec03703322ae1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d09fa8868e66f7c42d21eeba614dd942

SHA1
55d0bb2bd8bc9e5c51d73c7a2b63ff9e1ebbb456

SHA256
01d5f51eee60bf24394ca69672aabb0546abf9a998e7c1787fe27cf8628ca0d3

SHA512
ee81488f88929a4d3ba7fd8b6d06b9467953e938efc9dcb60db3ff4283e886aeeb6890081a42b1eb8d612a3a54bfa495efb44a002e1f9104664eb8734123a20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
180969859f869db4ab1353308c6ae18d

SHA1
e0d8c058954e529d07459d81e201df1714978d13

SHA256
97e70aae5500c74ffdd768d828b439591b37243bb886c892bb1d3ac6e368ed85

SHA512
3f81df448e9113885f2295329128c4375708a99e15507695d710ffdf594fe43564eab77b9d19cc285eb4b71e2803f7166f9dcaa317495ba85c778b08e3b8cf21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
31579664c59f31afd9bc7ae29b040ddc

SHA1
9ddfbb06ce1d495b4301976d48e265e516be01b1

SHA256
09c5d2b360b99f392aff6b9c24030141f85ce4bebcdd82b896cf912dd3ec3ec9

SHA512
f96bec91bcf3db9e7ea9909b9b27f761dcfa91423e9b506981eaf02c86aab988d41c0e4e15363202abdf22291677f59493a2a07d3b8ac356c15aeb0828f8f641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c6689101480038d27f256402625a9f66

SHA1
8cd1f886adc680041270a607e9918d7089e2275e

SHA256
676d72a17932b4860093d9d4e56d268e0db63ba100d248baf5eb12848aa8e54a

SHA512
7a5a13631927ebec7a9fad908daded65253a5c014f15ceec33293883029d04b05b807cb12718470feea54efe3ed66ab9e6d17963a11e5dcfea00af0ceba9f11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
cd5cf1dcb832f1024946cc54800a656c

SHA1
222610a8dcebf6d24d074786e6885683b24be405

SHA256
d8bcb66c58a74e2882b414e05fbd84425bff4527c4e5941d0bf0a7f7263cd56c

SHA512
b5b9848978dbdd4ead13843acb31f3fbb8d6e8a125bbdead7e497e7af9da4190a0c916e76a59a5f7cbe67e50c651ee08c7be536923fa12ebfea39e06f0ac4357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5813f0.TMP

Filesize
874B

MD5
03df9307040b119b3b3bde2d2e4d8269

SHA1
2e7642be186ea8dcf930529576aa38b7642ec75e

SHA256
8c4170783c4446fccdd50c2fb528cf22b246637564939557d83f4a0dda90930f

SHA512
571f9b168a64154cf160c05481ec8761859a4fa1dec62158e0103c672f9ee2510211b2a323eb42e1a7e3691b12f90c4e950dc1d8d0aeea3e4b1db5c94a708601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86e67b746fe39620224e0962fc0fce08

SHA1
989a520d141aa60cd8dacf0cf00c4d7c795a144e

SHA256
56a875bbef65916a32139f9115c44d51e0c48beeb6b178f46b60e6fc3b0d8e97

SHA512
35724224bbedaa69aaeb5b52ac857a88b95cf42c3d814cb41598cc629038684bfe06d881fbc7d88da95fa61606fc473bad058b4fd21bb03e3e406fa570a7b827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e4555524cded322db78cb95029e8022

SHA1
e4ef079ce1db80306e5f4be6de585402c89c4af0

SHA256
d53ff4e61e5861de0f3821aad90a92269e45c2492be2ce507f8d74e0d528422a

SHA512
1717094c126e77b324419ddc9ba07908896fa42c3de4ded273dca71eaf4af28c30605f4894a63d1de698075fc6184872d6cdf0c97c9588863c80daddc62f60a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ceb05cb4e0b25426918aa90b941b971e

SHA1
4f8805b2f75d6ba5e6539abccee17f6ecaf81eff

SHA256
ec06cf715253eac8ffbd7dfa5253d8a50daa0e0be2d708fe42693241825a5c1b

SHA512
bdd53c5808184dcdad7893e18152764e3b54291a361a6a71016c35c66d0c318662304bde7d07985ea14d6c8c9f9d639936d81bad24949af19e16ed06b64b8996

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
2237e76835bdbe6de268b1c9ba8c5f43

SHA1
9d0ff481e1175fe35145cbffbaa43e53e23915d4

SHA256
428d10927769a7e7f453af3bc213de9ea562e58e27bbbe892b7077fc1c41413d

SHA512
c34bc35afb397237b9a3c23234fd61bae0c49d86389b6eb721c2fb47c17b0036dd9eada47ccce557d8ef962267c9933e47a9971948e5f109f5a05dc46e079bed

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
262B

MD5
1b95e04dbd98deeabacd15b8cd17d161

SHA1
223280d1efaa506d6910fa8f0e954bf362b2c705

SHA256
76a32e2efb8b97a8c226bcb8bc5b113b4b6fce1077de6513405955bc6d74b169

SHA512
e2be3706491c1cdb9654d0720805dd96536c66f48bd7d8a4d781b5daeebfd22655cdb2d84ea1a1ec5c0d963b0f3982735975f032373c9083986cd1c01d379e70

Download Submit
C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 412625.crdownload

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 546380.crdownload

Filesize
411KB

MD5
04251a49a240dbf60975ac262fc6aeb7

SHA1
e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0

SHA256
85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3

SHA512
3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

Download Submit
C:\Users\Admin\Downloads\scr.txt

Filesize
45B

MD5
ad1869d6f0b2b809394605d3e73eeb74

SHA1
4bdedd14bfea9f891b98c4cc82c5f82a58df67f6

SHA256
7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394

SHA512
8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

Download Submit
memory/960-397-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1656-430-0x000002C0D2550000-0x000002C0D2551000-memory.dmp

Filesize
4KB

Download
memory/1656-433-0x000002C0D2550000-0x000002C0D2551000-memory.dmp

Filesize
4KB

Download
memory/1656-450-0x000002C0D2550000-0x000002C0D2551000-memory.dmp

Filesize
4KB

Download
memory/1656-459-0x000002C0D2550000-0x000002C0D2551000-memory.dmp

Filesize
4KB

Download