toxiceye | 3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
Size

584KB
MD5

001ed9b78e44a5545679286e3872ebc4
SHA1

11a7fa8453ec8a594200b66d889aaf3d3f6a132a
SHA256

3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1
SHA512

68ed219c2660d2a2904e2f7c69f378eeac657e11d9d57345de3f0c025ccd03a77a0e66bb095849e17ef9f7abc7a8b6f83822789e12cb02c9e38d0adc969eb84c
SSDEEP

12288:NY4Sjc5JLsNiN5pa3pnISrX+t4eLMd18Sb1sDkwtkn4nQp6WIoD:NJAc79zpaZnISdeLa8Sb1AA4neDD

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6614924384:AAFfRfKSXv_nYZghPcfGxWb5r0pZZqztlKU/sendMessage?chat_id=5006597517

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Executes dropped EXE 25 IoCs

pid	Process
1072	System.exe
2792	crss.exe
1440	crss.exe
2344	crss.exe
2596	crss.exe
1776	crss.exe
1408	crss.exe
892	crss.exe
3060	crss.exe
2868	crss.exe
2340	crss.exe
2276	crss.exe
2712	crss.exe
1180	crss.exe
2288	crss.exe
1500	crss.exe
2112	crss.exe
2296	crss.exe
1976	crss.exe
1616	crss.exe
1068	crss.exe
1236	crss.exe
2808	crss.exe
2260	crss.exe
2268	crss.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\win.bat	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
File opened for modification	C:\Windows\win.bat	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259438882	System.exe
File created	C:\Windows\1.vbs	System.exe
File opened for modification	C:\Windows\1.vbs	System.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259438570	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
File created	C:\Windows\System.exe	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
File opened for modification	C:\Windows\System.exe	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
File created	C:\Windows\crss.exe	System.exe
File opened for modification	C:\Windows\crss.exe	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1496	schtasks.exe
2740	schtasks.exe
2216	schtasks.exe
560	schtasks.exe
920	schtasks.exe
2968	schtasks.exe
1704	schtasks.exe
2252	schtasks.exe
996	schtasks.exe
2540	schtasks.exe
2916	schtasks.exe
2692	schtasks.exe
2080	schtasks.exe
2780	schtasks.exe
1848	schtasks.exe
2368	schtasks.exe
1876	schtasks.exe
2904	schtasks.exe
1696	schtasks.exe
2280	schtasks.exe
1932	schtasks.exe
2136	schtasks.exe
2868	schtasks.exe
1692	schtasks.exe
1472	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 24 IoCs

pid	Process
2792	crss.exe
1440	crss.exe
2344	crss.exe
2596	crss.exe
1776	crss.exe
1408	crss.exe
892	crss.exe
3060	crss.exe
2868	crss.exe
2340	crss.exe
2276	crss.exe
2712	crss.exe
1180	crss.exe
2288	crss.exe
1500	crss.exe
2112	crss.exe
2296	crss.exe
1976	crss.exe
1616	crss.exe
1068	crss.exe
1236	crss.exe
2808	crss.exe
2260	crss.exe
2268	crss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	crss.exe
2792	crss.exe
2792	crss.exe
2792	crss.exe
1440	crss.exe
1440	crss.exe
1440	crss.exe
1440	crss.exe
2344	crss.exe
2344	crss.exe
2344	crss.exe
2344	crss.exe
2596	crss.exe
2596	crss.exe
2596	crss.exe
2596	crss.exe
1776	crss.exe
1776	crss.exe
1776	crss.exe
1776	crss.exe
1408	crss.exe
1408	crss.exe
1408	crss.exe
1408	crss.exe
892	crss.exe
892	crss.exe
892	crss.exe
892	crss.exe
3060	crss.exe
3060	crss.exe
3060	crss.exe
3060	crss.exe
2868	crss.exe
2868	crss.exe
2868	crss.exe
2868	crss.exe
2340	crss.exe
2340	crss.exe
2340	crss.exe
2340	crss.exe
2276	crss.exe
2276	crss.exe
2276	crss.exe
2276	crss.exe
2712	crss.exe
2712	crss.exe
2712	crss.exe
2712	crss.exe
2712	crss.exe
1180	crss.exe
1180	crss.exe
1180	crss.exe
1180	crss.exe
2288	crss.exe
2288	crss.exe
2288	crss.exe
2288	crss.exe
1500	crss.exe
1500	crss.exe
1500	crss.exe
1500	crss.exe
2112	crss.exe
2112	crss.exe
2112	crss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	crss.exe
Token: SeDebugPrivilege	1440	crss.exe
Token: SeDebugPrivilege	2344	crss.exe
Token: SeDebugPrivilege	2596	crss.exe
Token: SeDebugPrivilege	1776	crss.exe
Token: SeDebugPrivilege	1408	crss.exe
Token: SeDebugPrivilege	892	crss.exe
Token: SeDebugPrivilege	3060	crss.exe
Token: SeDebugPrivilege	2868	crss.exe
Token: SeDebugPrivilege	2340	crss.exe
Token: SeDebugPrivilege	2276	crss.exe
Token: SeDebugPrivilege	2712	crss.exe
Token: SeDebugPrivilege	1180	crss.exe
Token: SeDebugPrivilege	2288	crss.exe
Token: SeDebugPrivilege	1500	crss.exe
Token: SeDebugPrivilege	2112	crss.exe
Token: SeDebugPrivilege	2296	crss.exe
Token: SeDebugPrivilege	1976	crss.exe
Token: SeDebugPrivilege	1616	crss.exe
Token: SeDebugPrivilege	1068	crss.exe
Token: SeDebugPrivilege	1236	crss.exe
Token: SeDebugPrivilege	2808	crss.exe
Token: SeDebugPrivilege	2260	crss.exe
Token: SeDebugPrivilege	2268	crss.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2792	crss.exe
1440	crss.exe
2344	crss.exe
2596	crss.exe
1776	crss.exe
1408	crss.exe
892	crss.exe
3060	crss.exe
2868	crss.exe
2340	crss.exe
2276	crss.exe
2712	crss.exe
1180	crss.exe
2288	crss.exe
1500	crss.exe
2112	crss.exe
2296	crss.exe
1976	crss.exe
1616	crss.exe
1068	crss.exe
1236	crss.exe
2808	crss.exe
2260	crss.exe
2268	crss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2924	3052	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe	30
PID 3052 wrote to memory of 2924	3052	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe	30
PID 3052 wrote to memory of 2924	3052	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe	30
PID 3052 wrote to memory of 2924	3052	3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe	30
PID 2924 wrote to memory of 1848	2924	cmd.exe	32
PID 2924 wrote to memory of 1848	2924	cmd.exe	32
PID 2924 wrote to memory of 1848	2924	cmd.exe	32
PID 2924 wrote to memory of 1848	2924	cmd.exe	32
PID 2924 wrote to memory of 1072	2924	cmd.exe	33
PID 2924 wrote to memory of 1072	2924	cmd.exe	33
PID 2924 wrote to memory of 1072	2924	cmd.exe	33
PID 2924 wrote to memory of 1072	2924	cmd.exe	33
PID 1072 wrote to memory of 2676	1072	System.exe	34
PID 1072 wrote to memory of 2676	1072	System.exe	34
PID 1072 wrote to memory of 2676	1072	System.exe	34
PID 1072 wrote to memory of 2676	1072	System.exe	34
PID 2676 wrote to memory of 2792	2676	WScript.exe	35
PID 2676 wrote to memory of 2792	2676	WScript.exe	35
PID 2676 wrote to memory of 2792	2676	WScript.exe	35
PID 2676 wrote to memory of 2792	2676	WScript.exe	35
PID 2792 wrote to memory of 2868	2792	crss.exe	37
PID 2792 wrote to memory of 2868	2792	crss.exe	37
PID 2792 wrote to memory of 2868	2792	crss.exe	37
PID 2792 wrote to memory of 3068	2792	crss.exe	40
PID 2792 wrote to memory of 3068	2792	crss.exe	40
PID 2792 wrote to memory of 3068	2792	crss.exe	40
PID 2676 wrote to memory of 1440	2676	WScript.exe	41
PID 2676 wrote to memory of 1440	2676	WScript.exe	41
PID 2676 wrote to memory of 1440	2676	WScript.exe	41
PID 2676 wrote to memory of 1440	2676	WScript.exe	41
PID 1440 wrote to memory of 2368	1440	crss.exe	43
PID 1440 wrote to memory of 2368	1440	crss.exe	43
PID 1440 wrote to memory of 2368	1440	crss.exe	43
PID 1440 wrote to memory of 2328	1440	crss.exe	45
PID 1440 wrote to memory of 2328	1440	crss.exe	45
PID 1440 wrote to memory of 2328	1440	crss.exe	45
PID 2676 wrote to memory of 2344	2676	WScript.exe	46
PID 2676 wrote to memory of 2344	2676	WScript.exe	46
PID 2676 wrote to memory of 2344	2676	WScript.exe	46
PID 2676 wrote to memory of 2344	2676	WScript.exe	46
PID 2344 wrote to memory of 1704	2344	crss.exe	48
PID 2344 wrote to memory of 1704	2344	crss.exe	48
PID 2344 wrote to memory of 1704	2344	crss.exe	48
PID 2344 wrote to memory of 1616	2344	crss.exe	50
PID 2344 wrote to memory of 1616	2344	crss.exe	50
PID 2344 wrote to memory of 1616	2344	crss.exe	50
PID 2676 wrote to memory of 2596	2676	WScript.exe	51
PID 2676 wrote to memory of 2596	2676	WScript.exe	51
PID 2676 wrote to memory of 2596	2676	WScript.exe	51
PID 2676 wrote to memory of 2596	2676	WScript.exe	51
PID 2596 wrote to memory of 2740	2596	crss.exe	53
PID 2596 wrote to memory of 2740	2596	crss.exe	53
PID 2596 wrote to memory of 2740	2596	crss.exe	53
PID 2596 wrote to memory of 1268	2596	crss.exe	55
PID 2596 wrote to memory of 1268	2596	crss.exe	55
PID 2596 wrote to memory of 1268	2596	crss.exe	55
PID 2676 wrote to memory of 1776	2676	WScript.exe	56
PID 2676 wrote to memory of 1776	2676	WScript.exe	56
PID 2676 wrote to memory of 1776	2676	WScript.exe	56
PID 2676 wrote to memory of 1776	2676	WScript.exe	56
PID 1776 wrote to memory of 996	1776	crss.exe	58
PID 1776 wrote to memory of 996	1776	crss.exe	58
PID 1776 wrote to memory of 996	1776	crss.exe	58
PID 1776 wrote to memory of 2012	1776	crss.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
"C:\Users\Admin\AppData\Local\Temp\3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\win.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /tn "MyApp" /tr "\"C:\Windows\system.exe"" /sc ONSTART /ru SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1848
- - C:\Windows\System.exe
    system.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2792 -s 1548
        6⤵
        
        PID:3068
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1440 -s 1512
        6⤵
        
        PID:2328
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2344 -s 1500
        6⤵
        
        PID:1616
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2596 -s 1504
        6⤵
        
        PID:1268
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1776 -s 1496
        6⤵
        
        PID:2012
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1408
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1692
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1408 -s 1508
        6⤵
        
        PID:2916
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:892
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 892 -s 928
        6⤵
        
        PID:2396
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3060
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3060 -s 936
        6⤵
        
        PID:2692
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2868
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2868 -s 928
        6⤵
        
        PID:2264
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2340
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2340 -s 1504
        6⤵
        
        PID:1716
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2276
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2276 -s 1500
        6⤵
        
        PID:1844
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2712
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2904
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2712 -s 928
        6⤵
        
        PID:2756
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1180
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1180 -s 1504
        6⤵
        
        PID:908
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2288
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2288 -s 1492
        6⤵
        
        PID:2208
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1500
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1500 -s 1496
        6⤵
        
        PID:2616
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2112
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2112 -s 1488
        6⤵
        
        PID:2812
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2296
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2296 -s 1036
        6⤵
        
        PID:2792
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1976
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1976 -s 1500
        6⤵
        
        PID:1592
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1616
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:560
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1616 -s 1504
        6⤵
        
        PID:2592
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1068
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1068 -s 1504
        6⤵
        
        PID:844
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1236
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1236 -s 1504
        6⤵
        
        PID:2144
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2808
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2808 -s 1500
        6⤵
        
        PID:1708
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2260
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2260 -s 1492
        6⤵
        
        PID:2068
    - - C:\Windows\crss.exe
        
        "C:\Windows\crss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2268
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2268 -s 1508
        6⤵
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1.vbs

Filesize
123B

MD5
31aab08a0e1733b8196172d5901e7517

SHA1
cb4092011eebab5c9d3bb2e8a4b79c4111b50ff4

SHA256
3c7d4f1aa35d091d73fad7bc1e70112fc88e9f6e6445d8da34effcde67d3e6b8

SHA512
c3452c4f0f1eb1f9c5abb45b73523c6d48635653ec491202c548454aee48d06560ecac13e34c288ca078df47867ca424e3d699f31abe68500e7cb555f5252784

Download Submit
C:\Windows\System.exe

Filesize
403KB

MD5
c9285b00b99565bdf3a6c04c518f6299

SHA1
d0e5c114019d6ef5211c7d7384d7b0ac5ab4f62b

SHA256
8fa065e4ed2a8ebb457326eafddc6e4f715baeb60e2da39f212d25e6281c6171

SHA512
b0554ec39fad010fb66e65832b9407ba3eee63d9e3fa414fc339712e486bbced6103393990fae783c8ac236b5a4f06e6dea28e2bb105b574eeb7f08a7d082bb0

Download Submit
C:\Windows\crss.exe

Filesize
119KB

MD5
b8853b3517287fc33fce3bf78d2fd693

SHA1
3c20e9c59a8653862c0caf43272353447a458a1f

SHA256
581449c5fa2f3adc3e263aeb030accd55465713baecff297fbafb915a2df2fdb

SHA512
206189ac7614eb9a312c312810a060494c4121bebad34692de8e2b5de5db36c144bc4266be278799f0061b829b5c7e1c191bb18aadcf505737ef19936bab718a

Download Submit
C:\Windows\win.bat

Filesize
129B

MD5
ec573f06f672b120d6af7289e81c8381

SHA1
3e067592aeab1201a1bf0ded92808591894ef9df

SHA256
3932a21385c1e8bda0961f3d360342972abff3345d20a30dabd9b6d157172a18

SHA512
89fb52aa29faa73f9e156412392e2dc62e95f4e3d4e711e557ef6e1519412262dd05119dc8f8d90f322e9deb80017f44f9fe8ef9fffae883f691caeb5228a90e

Download Submit
memory/1236-54-0x0000000000110000-0x0000000000134000-memory.dmp

Filesize
144KB

Download
memory/1776-37-0x0000000001310000-0x0000000001334000-memory.dmp

Filesize
144KB

Download
memory/2260-58-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2268-60-0x0000000000890000-0x00000000008B4000-memory.dmp

Filesize
144KB

Download
memory/2344-33-0x00000000001B0000-0x00000000001D4000-memory.dmp

Filesize
144KB

Download
memory/2596-35-0x00000000010C0000-0x00000000010E4000-memory.dmp

Filesize
144KB

Download
memory/2792-29-0x00000000012E0000-0x0000000001304000-memory.dmp

Filesize
144KB

Download
memory/2808-56-0x00000000008C0000-0x00000000008E4000-memory.dmp

Filesize
144KB

Download