toxiceye | 99a161958aa54105ca4da8beaa81349916e6f8be606cfa3330e6bfd2cabf0d59

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanCrack.exe
Size

316KB
MD5

606f0b6807bd48c75df315455cdf3115
SHA1

386abb6a3af6d758c31622d333b1dd40111d576c
SHA256

99a161958aa54105ca4da8beaa81349916e6f8be606cfa3330e6bfd2cabf0d59
SHA512

8ee4a172934e79d0e670674c1e39a41d2e7eb7c30295f26aef6a6318be7764acb8e66107d4bfb6de080cf7d2cee5d4806974f4575f7a56305db5bd7c6197b249
SSDEEP

3072:3bGb9aUEDppbpYHDQWgzCrAZuRDTXJtFg3MZfZpxy4MfY9d1ZOeyDqL+WeCCOOSr:Kb9apnb+ifOx7y41keymL+WeCCOOSS

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7323288274:AAG3J41fmlCLnpBQrpmptPYElp52emNgHNU/sendMessage?chat_id=6002437029

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NursultanCrack.exerat.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid	Process
2912	rat.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1684	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
4192	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658563030040814"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
4108	schtasks.exe
4940	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid	Process
2912	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exechrome.exe

pid	Process
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
4848	chrome.exe
4848	chrome.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe
2912	rat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

NursultanCrack.exetasklist.exerat.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	1708	NursultanCrack.exe
Token: SeDebugPrivilege	4192	tasklist.exe
Token: SeDebugPrivilege	2912	rat.exe
Token: SeDebugPrivilege	2912	rat.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe
Token: SeShutdownPrivilege	4848	chrome.exe
Token: SeCreatePagefilePrivilege	4848	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid	Process
2912	rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NursultanCrack.execmd.exerat.exechrome.exe

description	pid	Process	procid_target
PID 1708 wrote to memory of 4940	1708	NursultanCrack.exe	89
PID 1708 wrote to memory of 4940	1708	NursultanCrack.exe	89
PID 1708 wrote to memory of 4356	1708	NursultanCrack.exe	91
PID 1708 wrote to memory of 4356	1708	NursultanCrack.exe	91
PID 4356 wrote to memory of 4192	4356	cmd.exe	93
PID 4356 wrote to memory of 4192	4356	cmd.exe	93
PID 4356 wrote to memory of 4724	4356	cmd.exe	94
PID 4356 wrote to memory of 4724	4356	cmd.exe	94
PID 4356 wrote to memory of 1684	4356	cmd.exe	95
PID 4356 wrote to memory of 1684	4356	cmd.exe	95
PID 4356 wrote to memory of 2912	4356	cmd.exe	96
PID 4356 wrote to memory of 2912	4356	cmd.exe	96
PID 2912 wrote to memory of 4108	2912	rat.exe	99
PID 2912 wrote to memory of 4108	2912	rat.exe	99
PID 4848 wrote to memory of 1572	4848	chrome.exe	109
PID 4848 wrote to memory of 1572	4848	chrome.exe	109
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 3224	4848	chrome.exe	110
PID 4848 wrote to memory of 996	4848	chrome.exe	111
PID 4848 wrote to memory of 996	4848	chrome.exe	111
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112
PID 4848 wrote to memory of 3940	4848	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1708"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1684
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffff257cc40,0x7ffff257cc4c,0x7ffff257cc58
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2144,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3680,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5248,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3248,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5676,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5200,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1120,i,9564658601043405603,15433006234291624967,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:3888

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b37e4f95de32ce0ca62908fea86af854

SHA1
a2a484cdc213a466b590f8d0574b55255775001b

SHA256
c79fa402e184c09456b330fd547f01240f87a4eccf6a465e1f09687874963090

SHA512
b119ea311db17c098d32297b783be70c06b3993cc4a76854fa799b61969fb6a26dce985e05cb706f17b80b4867aa8c76a084e1252a30f71c74dabff09c38c605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4c7cd9fc5a305c9ddaa78626c3419b09

SHA1
22875d0384bce33a6824e918165422f3035dc472

SHA256
dcb08bb420d05d8b615776d557baa44a267d14dd5b82281bcf5ffd613b8be6d3

SHA512
d2933478418e09b4b1450f9e44c5b980c774226b1c55fff87d07fe5de865a8ac98a94024065c5f5ec67946bd1e6fe09ffce82389dd79427b1f9b4b6ff499937c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
26855c88751700a4abe7f80bad0a7b77

SHA1
eed6f4ad18a5473b2da7eb7449a8508b42542bf5

SHA256
20339383e9843953f41726e12ee8fd91dbdec8e51f368e77d0ea24df736d86e8

SHA512
ad437fc97abd6ace6eef93f12c36b525dbe75b137d9a9e3b64c98eae6e2b59a40c2bacfda643b8a786e456281699b199b2c8fa47b9466d468493004bbf77fd3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
afe1cf081ba4a30ca49f4fbe83defff2

SHA1
3ae71be2acc58abd0c87770e91f0d40e34fe7001

SHA256
34b2c128e59481fc38f474dce18395d88c3b7f3941e3d9ef237fb88061163fda

SHA512
f7a919d578121ba4c2e66ef025da97dd535e8c181548bc21e7c6bb91865bf228833fcfe31ab3afd194bfefa625d59ca9e01e4dfc932c547814168b8c1ea39080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b8d4b5f61b9af6a372f47aabbb71b002

SHA1
4a3b45fa48d197d4992e80589d7b245d8cf6ece1

SHA256
389bb1b2997dbc0808ae46509483c9941e2e4e80ca3b0d1d406b62610659bc94

SHA512
42355e677975b3b02a8428777d8808ec1e3659dd77274693579701dee41dadcb15c65f01d63f4fa882a740fb067dad7a094bdacff27d1900fc75064e947bfbfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
060f91783c3848838f282cf4aa0e5b38

SHA1
216f9c54da2ac5e951c9a5424052691a435cbc02

SHA256
6de5289615180f201f6e6b35e68602757f11522782901c61467ee7ece526302e

SHA512
0330f794f2d14fceb02b89e50010c7345a0cddf50517ae743b31f3eaffa31937471c502e9d462f34aeb123168aab961403cf9067ef12b4dcc6ddbdc271fc21c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4674c7824fffa282a6ff35b288b2c801

SHA1
9eb2f3becabdb73e775ce0d980fb170560b9a61a

SHA256
242ee42ae4a6fd9dd103d2e4923a1d1756e75a89ec7546940a3918aaaacc0abe

SHA512
abfa59ca9e76d7df64135608e08fb0214a7dd21749ff7c8bc4fb61f71aea07092686071487ccce42e82a1d9b0cf64e9e71568a4bad5721e5be23c9015c0706ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4f4c7cb8739f84baf7afb84c6273f1c2

SHA1
c1477421a08b63cd2e68ff97eaf576916f4eb84f

SHA256
477801f8863824d8b55791a6c576d954a24cc44bc9fdf0763182fa10cd89d65c

SHA512
e513c2a78104b30d541f4f4d68071a185b7c8a4b67bf1da93324fb20ede2b84d5b5cd880406adbb1506fde83c755c3d1d31a9afc8c6f86d1c0d78095b508cf8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
039f793bc8407ac5cc219e20ae8a8a80

SHA1
2dd8fe2ac075f84f8e1086a0f476b67323bf720e

SHA256
d52c10e9948101c3c4c6278796a799ac64fa9d492a135292da9f1b0c1e9b733c

SHA512
26bc4a37cee601234bd7080fb9a60a82bd875cebb9d7c1ebaf07a7fc88f165ff578a0fcf82ac01f7e541b0624e2f265795f5bf0e43e89193e246da39d3b03a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b01c2a26890e27f8fe55930f9ff1f70c

SHA1
7e8f97f35a9282d5613b22e9545294f778141957

SHA256
ecd6464bdd6f97737c998aefc40bbca1e6ec089905f33c32b9be653ea8431312

SHA512
f552a85eaf8e2d33b21ff41f8fb4c1d1bab9453507378e0e4246ad88b0c59527b82fb8158c4753e886941226b3cbd708db1e7f9f56986ef1b45cfaee8c6ed95d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c0fdb6dc319bd2256e7a462f0df81dd

SHA1
b8edf722c834139c44d9f9fd925d2aaf7b2777e4

SHA256
8689063f7b8de7846c9d7d441430ea5847af1d6452776314dd0d9ffd58c21b79

SHA512
61fa28548644bc112f599bffd6e93cad9c26fc5b81b8b6a6bea6885a5681dac030ba162099e1b04bc432ee763ecabd7b96d9b7918215ba726b6de35c4c81995c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7b06f9157758d4b8823713d58926fe3e

SHA1
64a39b2f06289a1c36ba01e82023a81309efab0b

SHA256
b1cbb7bc6f7962c7c8b787b04bb76637354c0d9464ac0ee6ec13778c0455c06e

SHA512
273b97c383f3df3023e308e91115c01f5fc0234374fe3a9f9bf7970f47e2d193808848e2fec883a71e37c3d39ba581abb446e1d94599c801928da2242673e458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
252240414c2e08f1a6ee3cd99b045a97

SHA1
d86e7fe081e804ae4e9fcf76fc4608bb738cddeb

SHA256
d891cdfd235593acdd70ab94c6e673f3937648c7c3c7e4f25b96d5d5a849cd80

SHA512
b5923ee58e46e97e54f86c9ca4d7a7f258b3932ffe6353ca49b0bb1a2ec4f50ab434e4cb021cc63044183fadac227f7b7b3dea6b556f0cc20c9193ebbfc4b01c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
28bdf11fb5fa0e3e4445a75eb0519ea9

SHA1
010578972be949f7c1809f7cf7658aeb63294ed4

SHA256
7a481c17e644abc896af38e1a68c3c0b5b504a30c9a564d603b8620a995e93e8

SHA512
2f211d663c5517f6cbb0a35810d3d1fb82da6c9b26addb0239b266ab901d33033fd6338c3b7f90c9306a43552a8ab431692f994689dfa1ccb1c6f4d58328db43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
237382da374796cab0d8244bbcb0b59a

SHA1
676a94f23d73aed006108a57dce32480d165b4c9

SHA256
80cc8e305b5ff7a6918a9277dd29b57e0b328724b85f6fcb8b37bcfb1780e89f

SHA512
91e737d6e16b85e451083bded1ced199ed0bb46f7707df4059cb8f12afae4833b7d21b8486cd576be513edf9f506acb1685c68d490a77498d6414aaa14f3bd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbcef60ef06f635c68f8af15442f354a

SHA1
bc4fc5fa6c93a2310b6d9a4937ff83281e7f3891

SHA256
2f60b3398e8fa2c216e7dd7770f34a7b87b0dc450dc294494d918945159674c1

SHA512
606fc5f42ddb1fb333998585d8b890cdf0568a94133f99edd52ff648da1530148362d4925a4ceb81d2ec68b0aca344dd7eab75d95782da944d8c68ac3dcf6067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
59708513114381a394957664a680c6d5

SHA1
fdeb6fe80ba96ce7ef218651bcce046aeff0e025

SHA256
ed4ec0b099c6636abdadbb79002977c867efc163a9466d9a84f86baa4391f6de

SHA512
7528e9bf0b563fff20e2f3609cf67a351733509f61151af450e5bab7dc003c557cb7718b7cd40910c24f53e4de13842917926f3aef62b90e22eb4e7d87c0735f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\FileSystem\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
eb4386e5a5fa83a3ea9a2f563ae6384d

SHA1
d6392dc80f352039610785d509a9594c93308a19

SHA256
6606e60f603f98e1824d8638258f07ff040022d5f9ab350f492239c5ec308d0d

SHA512
d553ca1716ade3ba1dd1051bf89bb02bb239a43ee66eb766f8d68c6e68bf591d9d7df1fec6288c3d9b567f54f2b642b8b9a946191c52f7866ef758639eedcb5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
9ee2f73f20bcab05e00149a5d4c596a6

SHA1
c475c1764bde0ef31ab13246a1256710d6058b9d

SHA256
c280b01b661a3f9c6fa62a26d753a4d1a2831bbef2abc2c6106ee2a35e93c992

SHA512
c5faf61b22ae14f2efb24e99e2e57602abff8961aba55aa635894db4fbc8bdb802dde2cc65a77eb3b94de6ad7b0fc31fd9d6906bd424f0c8adef1ba8ded471a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp.bat

Filesize
191B

MD5
141917d20009a3eb133d67c3b56c4f9d

SHA1
e32024d4ae77d3ad6bebbd91f4651112a7fd59c7

SHA256
56163eb4aedb96013dc09373f6d537f32932630bc790570e669df562f87d6b22

SHA512
da91ae787b46428579136e2a55095b62fa892c8fede41a818fb6beac7472f65a859ef91c5aef2d95695d3e35bcde06e30790d8b8f866326ebe5e13888c65d12e

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
316KB

MD5
606f0b6807bd48c75df315455cdf3115

SHA1
386abb6a3af6d758c31622d333b1dd40111d576c

SHA256
99a161958aa54105ca4da8beaa81349916e6f8be606cfa3330e6bfd2cabf0d59

SHA512
8ee4a172934e79d0e670674c1e39a41d2e7eb7c30295f26aef6a6318be7764acb8e66107d4bfb6de080cf7d2cee5d4806974f4575f7a56305db5bd7c6197b249

Download Submit
\??\pipe\crashpad_4848_BBOWHEDXJANKYOWH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1708-6-0x00007FFFF7890000-0x00007FFFF8351000-memory.dmp

Filesize
10.8MB

Download
memory/1708-1-0x00007FFFF7893000-0x00007FFFF7895000-memory.dmp

Filesize
8KB

Download
memory/1708-0-0x000001E75D480000-0x000001E75D4D4000-memory.dmp

Filesize
336KB

Download
memory/1708-2-0x00007FFFF7890000-0x00007FFFF8351000-memory.dmp

Filesize
10.8MB

Download