Malware Analysis Report

2024-08-06 11:58

Sample ID 231230-est5maadcn
Target 0e08fd42b72428353738a47765a4fe33
SHA256 e80980441a46b804f0724d7384ad5472b933adc6dbee72c2a8bb678269c446cb
Tags
toxiceye rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e80980441a46b804f0724d7384ad5472b933adc6dbee72c2a8bb678269c446cb

Threat Level: Known bad

The file 0e08fd42b72428353738a47765a4fe33 was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan

ToxicEye

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:12

Reported

2023-12-30 21:17

Platform

win10v2004-20231215-en

Max time kernel

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe"

Signatures

ToxicEye

rat trojan toxiceye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 536 wrote to memory of 4356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4356 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe

"C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1772 -ip 1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start www.google.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf9fa46f8,0x7ffbf9fa4708,0x7ffbf9fa4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13667185267709612120,15705058605898574530,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 51.104.136.2:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 40.126.32.136:443 tcp
N/A 40.126.32.136:443 tcp
N/A 8.8.8.8:53 udp
N/A 204.79.197.200:443 tcp
N/A 8.8.8.8:53 udp
N/A 20.231.121.79:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.17.179.56:80 tcp
N/A 192.229.221.95:80 tcp
N/A 192.229.221.95:80 tcp
N/A 192.229.221.95:80 tcp
N/A 40.126.32.136:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 20.74.47.205:443 tcp
N/A 20.74.47.205:443 tcp
N/A 20.82.154.241:443 tcp
N/A 51.104.136.2:443 tcp
N/A 8.8.8.8:53 udp
N/A 40.126.32.136:443 tcp
N/A 23.44.234.16:80 tcp
N/A 20.231.121.79:80 tcp
N/A 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 20.74.47.205:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 40.127.240.158:443 tcp
N/A 8.8.8.8:53 udp
N/A 40.126.32.136:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 13.107.42.16:443 tcp
N/A 40.126.32.136:443 tcp
N/A 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
N/A 51.124.78.146:443 tcp
N/A 8.8.8.8:53 udp
N/A 142.250.200.4:80 tcp
N/A 142.250.200.4:80 tcp
N/A 142.250.200.4:80 tcp
N/A 142.250.200.4:443 tcp
N/A 142.250.200.4:443 tcp
N/A 8.8.8.8:53 udp
N/A 224.0.0.251:5353 udp
N/A 142.250.200.4:443 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 142.250.187.227:443 tcp
N/A 142.250.180.3:443 tcp
N/A 142.250.180.3:443 tcp
N/A 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.16.110.41:443 tcp
N/A 192.229.221.95:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
N/A 8.8.8.8:53 udp
N/A 142.250.179.238:443 tcp
N/A 142.250.179.238:443 tcp
N/A 142.250.200.4:443 tcp
N/A 8.8.8.8:53 udp
N/A 20.82.154.241:443 tcp
N/A 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 8.8.8.8:53 udp
N/A 96.16.110.114:80 tcp
N/A 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
N/A 52.165.165.26:443 tcp
N/A 20.231.121.79:80 tcp
N/A 52.165.165.26:443 tcp
N/A 40.126.32.136:443 tcp
N/A 13.95.31.18:443 tcp
N/A 8.8.8.8:53 udp
N/A 104.77.160.23:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.17.179.61:80 tcp
N/A 8.8.8.8:53 udp
N/A 20.103.156.88:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 40.126.32.136:443 tcp
N/A 8.8.8.8:53 udp
N/A 52.111.229.43:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 23.37.1.183:80 tcp
N/A 23.37.1.183:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
N/A 13.95.31.18:443 tcp
N/A 8.8.8.8:53 udp
N/A 96.16.110.114:80 tcp
N/A 8.8.8.8:53 udp
N/A 20.231.121.79:80 tcp
N/A 8.8.8.8:53 udp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
N/A 8.8.8.8:53 udp
N/A 104.91.71.140:80 tcp
N/A 104.91.71.140:80 tcp
N/A 104.91.71.140:80 tcp
N/A 104.91.71.140:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.17.179.83:80 tcp
N/A 96.17.179.83:80 tcp
N/A 96.17.179.83:80 tcp
N/A 8.8.8.8:53 udp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.17.179.77:80 tcp
N/A 104.91.71.140:80 tcp
N/A 96.17.179.77:80 tcp
N/A 8.8.8.8:53 udp
N/A 104.91.71.140:80 tcp
N/A 104.91.71.140:80 tcp
N/A 96.17.179.83:80 tcp
N/A 96.17.179.83:80 tcp
N/A 104.91.71.140:80 tcp
N/A 104.91.71.140:80 tcp
N/A 96.17.179.83:80 tcp
N/A 96.17.179.83:80 tcp
N/A 104.91.71.140:80 tcp
N/A 8.8.8.8:53 udp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 8.8.8.8:53 udp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.16.110.114:80 tcp
N/A 96.17.179.68:80 tcp
N/A 8.8.8.8:53 udp
N/A 52.142.223.178:80 tcp
N/A 96.16.110.114:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 96.17.179.68:80 tcp
N/A 8.8.8.8:53 udp
N/A 104.91.71.137:80 tcp
N/A 104.91.71.137:80 tcp
N/A 8.8.8.8:53 udp
N/A 8.8.8.8:53 udp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 8.8.8.8:53 udp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp
N/A 96.17.178.192:80 tcp

Files

memory/1772-0-0x0000000000660000-0x00000000006B8000-memory.dmp

memory/1772-1-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/1772-2-0x0000000004FB0000-0x0000000004FD4000-memory.dmp

memory/536-3-0x0000000002B70000-0x0000000002BA6000-memory.dmp

memory/536-4-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/536-8-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/536-7-0x0000000005130000-0x0000000005140000-memory.dmp

memory/536-19-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/536-14-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/536-20-0x00000000060D0000-0x0000000006424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nglnrfi.cus.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/536-5-0x0000000005130000-0x0000000005140000-memory.dmp

memory/536-6-0x0000000005770000-0x0000000005D98000-memory.dmp

memory/536-21-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/536-22-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/1772-23-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/536-26-0x0000000007460000-0x0000000007482000-memory.dmp

memory/536-27-0x0000000007AD0000-0x0000000008074000-memory.dmp

memory/536-25-0x0000000006970000-0x000000000698A000-memory.dmp

memory/536-24-0x00000000069E0000-0x0000000006A76000-memory.dmp

memory/536-28-0x000000007EE90000-0x000000007EEA0000-memory.dmp

memory/536-43-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/536-42-0x0000000005130000-0x0000000005140000-memory.dmp

memory/536-41-0x0000000005130000-0x0000000005140000-memory.dmp

memory/536-44-0x0000000008700000-0x0000000008D7A000-memory.dmp

memory/536-40-0x00000000075E0000-0x00000000075FE000-memory.dmp

memory/536-45-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/536-30-0x000000006F870000-0x000000006F8BC000-memory.dmp

memory/536-29-0x00000000075A0000-0x00000000075D2000-memory.dmp

memory/536-46-0x00000000079D0000-0x00000000079E1000-memory.dmp

memory/536-48-0x0000000007A20000-0x0000000007A34000-memory.dmp

memory/536-49-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/536-50-0x0000000007A50000-0x0000000007A58000-memory.dmp

memory/536-47-0x0000000007A10000-0x0000000007A1E000-memory.dmp

memory/536-54-0x0000000074B40000-0x00000000752F0000-memory.dmp

\??\pipe\LOCAL\crashpad_4356_COJLIQEQEUBYJSJR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a5cd2ceb65cc737f706c8c2774b34fc8
SHA1 b88840ecd3ef2ffa99957df5484c1f5b96fae87f
SHA256 2ab48be2ab0a8e360b132729ca151a590391a9ee02d9a085e1122bff9e0b1934
SHA512 5e79e6aa98930f96adf82ef68a95938b37d8075224f94b820693362722655a1092c2cb1e0b292b90dc019e21e7fd13f12581ee869fbfa0cb1e21aa18ab1881af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1 d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256 cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512 cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 721aae8dc6a772d400789f02402dd601
SHA1 9f01e3f26a277621e0a0c879416f3478baa35654
SHA256 2eee17643848144034c318e9a855605b611f91543e6f633609d662bdc18bb963
SHA512 18a802ea923c423975105c4b6c616037c153ed9039f669f3276605862638dd7deb39a1199a56d00f00afad5d5c3dea941a0ee35cb86e6aa20a6113dba3042677

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dfbe4db33e5e00dc9d7cd5bced0ad187
SHA1 4f330afec0e4c67d5ce9e3d76ea2c3cc029d1b76
SHA256 25045e713bc102fcfd74bb1b8af179860fc635136d6946091e9d278c87d8b169
SHA512 c5616e0c0a79cad8140a2d307653df7071e518c44daf9fb39861b85a8939bce3879a65df6a58be7186e790d80f0aa6d328eb5736385a4b611687357fea34d30c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6db2d2ceb22a030bd1caa72b32cfbf98
SHA1 fe50f35e60f88624a28b93b8a76be1377957618b
SHA256 7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512 d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a7eac3eee3ecf89ece2818ccf4717489
SHA1 726e7994a0aab92ddbc802d8fea9a019d82e2456
SHA256 8a8fe108224996584c4c63d16eda4251dd8adf72bb7f2f610b043a02ca3ed0f0
SHA512 9f002d751623023e0059289059906d539587fd0d52c97729becea655d313c707ca4fe4d7a2312144c75b65ad66526da482e4487b901603a15339a1e11f5659af

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:12

Reported

2023-12-30 21:18

Platform

win7-20231215-en

Max time kernel

118s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe"

Signatures

ToxicEye

rat trojan toxiceye

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a061b783653bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd769173341890000000002000000000010660000000100002000000093e12d08bb4a807ffb5ff33db2f3d436f4abf064df0127c450be7cc5e93f1cc1000000000e8000000002000020000000e17b955e0316875dcb2f70d9e503ba3588926f6423b2db2084c85766b8c05e23900000009f7f9f7b9d76a9f8b89277b9b8737764378ce5fba4405a8d8417fb85cc9bcc62b9a8519befe482b2d57c7029858041dd25603d53b37b1053ad746134186acd84aad406e583cf0e8a3ba7730091f5d8bf3e6343ebf68e6e4258dcc6cc0f531ff54a06e17aaa0aee3d4ac5e361266293a61ee22996e18dc89cfc603660963eda1e8096c6eb00482a4f1f43dde95bd3e0bb40000000445774eddc7e90a9325f3aa7d02f81e7bac7c5e78fe6f64b4fc9551c7feb665d46483f31e0d254a2a437c2ca244b2fc5b8932965c1c6279e53e73e58e75d36b1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A85288F1-A758-11EE-8420-EED0D7A1BF98} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410132857" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd769173341890000000002000000000010660000000100002000000071514a01f1609b0190e9c59b9df7ccd9211158dc5481b912170f25a8c2a2d4a4000000000e80000000020000200000002ee0329b7d4f13689338068476bef59fc1e4e16f579fb63d26671d84c8c6b56d20000000f1737289150a085761c7cc588d32013480b12be97e2cad1bd7cc3b60d16654354000000011fbda15708e4e014e5f6cb23343081e72bc85cceb829bf81a123f44f43ab56b6f7031859c7aadc65de43fcefc0442debf8695695b4729202245c02c8f40be0d C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1352 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe

"C:\Users\Admin\AppData\Local\Temp\0e08fd42b72428353738a47765a4fe33.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start www.google.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 628

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:80 www.google.com tcp
GB 142.250.200.4:80 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1200-0-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1200-1-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/1200-2-0x0000000000720000-0x0000000000744000-memory.dmp

memory/2764-5-0x0000000070C10000-0x00000000711BB000-memory.dmp

memory/2764-8-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2764-7-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2764-6-0x0000000070C10000-0x00000000711BB000-memory.dmp

memory/2764-10-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/1200-9-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2764-11-0x0000000070C10000-0x00000000711BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ced023fdf2919ad71115fe494ee5d339
SHA1 ebe0780c1867961d56145134970386516412c4e9
SHA256 770b3e85e955c93d72212e19c4f6a9370dcfa59d33fd129367160e886c995001
SHA512 6b16b421cd18092f6b8098bc84006da33d5597a1e6dfbb21f4667380bc04c5cab0b1a489779fe29cabdb75246853b62df2f3f24e8b9f3efa6af6e34ab5311b4f

C:\Users\Admin\AppData\Local\Temp\Cab44FD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar453E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 753ed76891b97b99ed1ba9d5e2db4512
SHA1 2ab4fad6e15cd0ded82ccb96b0291d63af9b9c2c
SHA256 c9bf6a6002a6cabbb3651e645ff55ba014949601513ed63d86475d169c455626
SHA512 21d7bb0e61a75e3be312dc676398b4232107459be5255167aa5a48d49892a317835fa739141fa7373aa0d6f27911a1807daac2aaaa2ca7984d12f5ad96e42064

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 213a789110e442236d1c73df76aa6bfc
SHA1 c1b5a4354bf4bcd847a645455b5b7559069e3799
SHA256 a70af5f82bb580183a6532efd80c31ad2a95d96150675b326754eed457d5ace0
SHA512 deff36f9fae5e39eb5d3cfa37194f6eaefbec9c61ffebc68922f2a8e5ea036c00f4d7730505ee7cfb95dc258c918b886b5f0c726de966a9bdf66c29239e880e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 696f1a9b06437f6a2a784d8f51ab111d
SHA1 73aef76cd72f6f580b264978d03b1c62cc5ba7c5
SHA256 8f2b14c3959981b7011f4a3ec612e595bae06e466f7dd825dffd037e949cb311
SHA512 35e89bdc72a80f98a3b9243a1ec0a723b3964d35535a678608a81309169e1530d5ae32a03e55bf98469dc90bf42bb44fd6170271396dc0f35b310e1d39f7c69d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e18c75845870ae71898a3c18580382ed
SHA1 61d16d8133875064d751627be3970a337df61683
SHA256 7caed9cb57299b6168f3befdeb668a5b7f4a7de4956ec1bc74874018f0e97920
SHA512 7e5b89e307b085f579aa7f07e0387f73711c698d71b76d11843cdbfc8e90b81df815da78367f911ec378b80da25460664cc9aa41fe62fa036a28c720f021b057