Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-2004-x64

Analysis

  • max time kernel
    56s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 20:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0

Score
10/10
gurcutoxiceyediscoveryratstealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdate

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347527

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347528

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa62ab46f8,0x7ffa62ab4708,0x7ffa62ab4718
      2⤵
        PID:4672
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        2⤵
          PID:4068
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2668
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
          2⤵
            PID:3620
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
            2⤵
              PID:2932
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
              2⤵
                PID:5048
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                2⤵
                  PID:4696
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4860
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
                  2⤵
                    PID:3056
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                    2⤵
                      PID:1580
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5872 /prefetch:8
                      2⤵
                        PID:2092
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
                        2⤵
                          PID:2372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
                          2⤵
                            PID:4640
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3388 /prefetch:8
                            2⤵
                              PID:3348
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                              2⤵
                                PID:4552
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6336 /prefetch:8
                                2⤵
                                  PID:4356
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,12960995481214380564,4588381044187263562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5192
                                • C:\Users\Admin\Downloads\TelegramRAT.exe
                                  "C:\Users\Admin\Downloads\TelegramRAT.exe"
                                  2⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • NTFS ADS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5308
                                  • C:\Windows\System32\schtasks.exe
                                    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:5488
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCAB2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCAB2.tmp.bat
                                    3⤵
                                      PID:5548
                                      • C:\Windows\system32\tasklist.exe
                                        Tasklist /fi "PID eq 5308"
                                        4⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5620
                                      • C:\Windows\system32\find.exe
                                        find ":"
                                        4⤵
                                          PID:5628
                                        • C:\Windows\system32\timeout.exe
                                          Timeout /T 1 /Nobreak
                                          4⤵
                                          • Delays execution with timeout.exe
                                          PID:5664
                                        • C:\Users\ToxicEye\rat.exe
                                          "rat.exe"
                                          4⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious behavior: AddClipboardFormatListener
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5684
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
                                            5⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5812
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3188
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1416
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x49c 0x310
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2196
                                      • C:\Windows\system32\taskmgr.exe
                                        "C:\Windows\system32\taskmgr.exe" /4
                                        1⤵
                                        • Checks SCSI registry key(s)
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:6116

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        ab8ce148cb7d44f709fb1c460d03e1b0

                                        SHA1

                                        44d15744015155f3e74580c93317e12d2cc0f859

                                        SHA256

                                        014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

                                        SHA512

                                        f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        38f59a47b777f2fc52088e96ffb2baaf

                                        SHA1

                                        267224482588b41a96d813f6d9e9d924867062db

                                        SHA256

                                        13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

                                        SHA512

                                        4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                        Filesize

                                        72B

                                        MD5

                                        3e2eac8b8a42a0fa83bbb887fd353a7a

                                        SHA1

                                        1753fe6588cb1aa773479f5dea050cde616cdef2

                                        SHA256

                                        aa5964e3c9c9cb1cb6744f06820a6b58b1a170533c60c370139eeecdc5258980

                                        SHA512

                                        08779583a7f47270b2f198806b08e61d3856e2e6dbd9a89ceaff95553817f359c8cb34e746b28a039d705954601c9a1789bef2f64847b80ef5246b3062e07379

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        46295cac801e5d4857d09837238a6394

                                        SHA1

                                        44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                        SHA256

                                        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                        SHA512

                                        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        145762ab0763ba0c5563dfcf5fd38191

                                        SHA1

                                        edb34a25c21162b5a2112da51dd8eb53d0b82b11

                                        SHA256

                                        42c588caf98de085c8a96a854da3c140107eced648fa85859179a62d66168fda

                                        SHA512

                                        89d2f814150435c208c1589c8816547cbcd961fe75a0fe80af32e8191569bc3ea9eaab40d1ed2907504949cfae4c47394068ff07c6583cf4ae111191e92a4f4f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        ded795e66acef28dc64926f9999ad3c1

                                        SHA1

                                        40d0bd08ec50cdd0127a695a2f61863127341d9b

                                        SHA256

                                        0078e29021eed267980605f228f0687ef50841d50edf586c00f9a96a379b0cb0

                                        SHA512

                                        f98b3181a16b98b4c32e51f1a431ce2b3186a2d8033725a8b8aa6977605c73a8b4f358eaeb89ef6089aab862a4c1cb78ab06cbd2c7477a3ac72ea04fbe582e6a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        760a7a3f727ee558a15fc625f7ed06d1

                                        SHA1

                                        66e47f6d6f509d2e17015d4475aac777b5d61a83

                                        SHA256

                                        dd0905d7bb95dc6a94a5a8782f1c7b0efa2514dfc724ff1753bfa53e528f0dc0

                                        SHA512

                                        73ac263deb96d073042b2e0cfa4d7979f8fac5e75fbcfdad70b8b05a8a411616460ecc8864964557fe024eb2212eae9cb990a4a926a72a4a4ef03d8b163e6d29

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
                                        Filesize

                                        41B

                                        MD5

                                        5af87dfd673ba2115e2fcf5cfdb727ab

                                        SHA1

                                        d5b5bbf396dc291274584ef71f444f420b6056f1

                                        SHA256

                                        f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                        SHA512

                                        de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                        Filesize

                                        72B

                                        MD5

                                        1c592457bc312b31238380f3f96400ca

                                        SHA1

                                        09cb5b11e67833760c33768d00f82f23ad98e574

                                        SHA256

                                        9d76d6f6e5b1406656a8a4a655979ebc2267a530090c4197c8c14cf9b99bc55d

                                        SHA512

                                        563438d0b4e31de820732a487101b368c6ce99b60d16b36afd230dd105dee12ed624acd18a31e51fa5dbe4d80e9717319e6662ce24da83c3f6e481cf5c86f5b9

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57eb0c.TMP
                                        Filesize

                                        48B

                                        MD5

                                        2256807bb7d871df7afafbb04cb17c06

                                        SHA1

                                        97b98a99de589cf7b13870525cd587b4685eb0a0

                                        SHA256

                                        0d97aa62f0980512ab2ab70231ed8fa4619b6da1e43eefcb979e0995c2146d45

                                        SHA512

                                        032c7d9448edc5525363aa94bc17eea630164ad8c929ab65953ee08777a6715c11d259cab69e7ced86372baad150c5d76eafedfa169b0cfec6da997a8cb7a207

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        a120e6ca0271c52751d337627954b92c

                                        SHA1

                                        a9ce84290fd225f1ffac2907c0ba142d8b315ebc

                                        SHA256

                                        2db9cf43b381ad2dea49a93c928ff9e834ab2855af684d4910fbb8f7e6ff4ee4

                                        SHA512

                                        00cb35af1915a180d9bfee3ab477f8be385a480c70aa149bd9c73836095a15800d4d7b67e4426133b0512991538cc880e8479db6ac45fdcc5eb63e97fe7ae091

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        a52107f6114301bdf02971dccfba1ab7

                                        SHA1

                                        080e7f55cbcef88e1f3f470b71173cb100f09eee

                                        SHA256

                                        71961cdb4599381d9808941ef682aecaf3bdaabaf3c7dc8864637d0945c91e1e

                                        SHA512

                                        6e8f9a205a29b71cfaa0bcb783a4a6a60cc2c627648be66090125cf2580cdc65bcdf69d17b9436d96cb498a0b328eda61a8fb9b0fc29672ced923d1b83061bf7

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\tmpCAB2.tmp.bat
                                        Filesize

                                        188B

                                        MD5

                                        3b87f2502f66279128e2298730b68197

                                        SHA1

                                        2a604509e482ea0597456f0496e3168a09f64d13

                                        SHA256

                                        3fd8e9f35465cc6a01d73d27500d958d29795cdb8a431e2b5b4b77b2d6f35475

                                        SHA512

                                        19a391deac543eee7dd2628997218004783d0133a0e8fdc8cc39dd0862179cef788123dbed46977f95ff39f4938b18b1dc94cca77e001e8e3322470773e82cb7

                                        Download Submit

                                      • C:\Users\Admin\Downloads\TelegramRAT.exe
                                        Filesize

                                        111KB

                                        MD5

                                        9c6f004d573a9660f4201028b795cfad

                                        SHA1

                                        235d54b393067c9ebceaf89c25877f8f310bb037

                                        SHA256

                                        3e37cefc156c265e1b048f8f59caf0e87c9bd097e9a43d4c0eeb2f05999add5b

                                        SHA512

                                        ddc6c0856576611329be1ca108c2d97854a6efef1bc3ad3d4266c562b8ff92a31990dbe4d3cbce57c13f733bdbfd9d3e98a8200929ced2f26b4c63743bb08ef5

                                        Download Submit

                                      • memory/5308-175-0x0000028A55500000-0x0000028A55522000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/6116-218-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-217-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-216-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-222-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-228-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-227-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-226-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-225-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-224-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/6116-223-0x00000249EEBF0000-0x00000249EEBF1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download