toxiceye | hxxps://gofile[.]io/d/i4Erbj

Analysis

max time kernel
12s
max time network
28s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/01/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/i4Erbj

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye
Downloads MZ/PE file

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5672	tasklist.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\30d09df7-c5b5-4437-9c42-8502da1e6e95.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250105134546.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5716	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 754408.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5560	schtasks.exe
5940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1744	msedge.exe
1744	msedge.exe
2420	msedge.exe
2420	msedge.exe
2328	identity_helper.exe
2328	identity_helper.exe
3272	msedge.exe
3272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 732	2420	msedge.exe	81
PID 2420 wrote to memory of 732	2420	msedge.exe	81
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1912	2420	msedge.exe	82
PID 2420 wrote to memory of 1744	2420	msedge.exe	83
PID 2420 wrote to memory of 1744	2420	msedge.exe	83
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84
PID 2420 wrote to memory of 1240	2420	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/i4Erbj
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc3d5346f8,0x7ffc3d534708,0x7ffc3d534718
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:784
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6005a5460,0x7ff6005a5470,0x7ff6005a5480
    3⤵
    PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,726015090881550801,7627145937632374192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5252

C:\Users\Admin\Downloads\TelegramRAT.exe
"C:\Users\Admin\Downloads\TelegramRAT.exe"
1⤵
PID:5348
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Tel\Tel.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp.bat
  2⤵
  PID:5608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 5348"
    3⤵
    - Enumerates processes with tasklist
    PID:5672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:5680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5716
- - C:\Users\Tel\Tel.exe
    "Tel.exe"
    3⤵
    PID:5732
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Tel\Tel.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aee441ff140ecb5de1df316f0a7338cd

SHA1
82f998907a111d858c67644e9f61d3b32b4cd009

SHA256
5944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67

SHA512
54a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
821b1728a915eae981ab4a4a3e4ce0d1

SHA1
8ba13520c913e33462c653614aece1b6e3c660a2

SHA256
36c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b

SHA512
b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b18b8708a03f70d8e7e397caebeb40f3

SHA1
a6fc6b33d37261388073c3e0202f8f0a8b8a448f

SHA256
f9ebc1ef9f801f520a0d54c7ef5c09333460e1cfb5b1e1e3451ff036f36ea4ad

SHA512
cf94a0dfab45377a687db53336dbca3475b35a7f41066dd4b1acc48c57eea7fcec803a1b6c1fdcf3774430b61f5875fab4173946218aae70b1b8b8a3f10b5a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1a25b0bbbbed7905ab33f32bba196897

SHA1
f8fdac4ae3954c8401a28419b2da56c9a1de09a3

SHA256
331c17078db62bb9871c01dc7547f56e2e732eb707cc49fabb7ca5e0b6d1278a

SHA512
3f97f312a0c4ff37eae8b08f33f686da86d0af50f5bb31651383225985ff394044b4c2f7ec27de5800b289d3326e3598aad0905e7e4401be53ae68c60fd3c984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62c9f5e8ae9f40d63e78d3c600d876f4

SHA1
612aae61c2d4d1ae36b8252836393ae0f5932fb5

SHA256
e0bf49299cc647634bee78333984686e05a7fdc48b9bcc8c99144703a5054a8d

SHA512
919fb35fcacdda5b54639569c91f02f75b6c72298c0f379c4c5aaa0bbc8b92db310d4035e85e54f3bfa684ad1babd8d6a2d3fb909dbd2b9fc6f63373da06d010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
edb8b1bf73e4ff27b271a56bbbc68d8a

SHA1
fe246645f6dd253d544ab6c7a6ba45d87b913f84

SHA256
65db6ce1fc0351dced516511718cc91ba8ea88e543f5bce5e33aae61eb0e2aa0

SHA512
a77f8679f41112eaf623d1f8b7ef4446901919eb4c227671b172815317d778283313663e9f949e9038c1c56771c9469bc3ecac083a9886ea33188d364ac1d454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e4fd7b84cca41c7e2890a351a5801111

SHA1
1ab658143dafd8020c79a3d38d6e18438a301d8b

SHA256
2c444cb8ce673c58abcd6aacc022b151c04269550736046f492efb4b8d882e74

SHA512
5454a416af3312343da7f99dcd448f625365708cf6754f8ad3a123512b09750ca1bca77bd6e059cea7f55f6aeda5aff8f9044f68a64834c0bec868f8266fd948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
40054cb73dd68fcf513186a36e7b28b1

SHA1
782f64c46affe72bd6b334c69aae88aa32216b2d

SHA256
136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118

SHA512
8689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
729df10a7e0b722edf6673d36f2040a3

SHA1
d082d92cb6eb8c0d79c9ea7e67e8b4828c5ea02b

SHA256
e2c498352af617d6d1106ea4d53c59fadc993a1f432068307250cdd0be68f7c0

SHA512
1619048945ed9b48ab2568dc546adf5173f2c60d03ee74f4616c3ffafe7182052b760feea19ce288799448c0f613b5e5592e5c547417fd7705997663439e3270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
48ffb66ed47f647c99dd60140e440102

SHA1
99d7175da26fc2ec481975d5ea29367b5c4c91f4

SHA256
9edf9016b4e3a85c120da6f882f004003b3879229d3f5e5b33863918c3833073

SHA512
fcbb26b0c020cce6506ff84da224b87b166b59120e29b7a9798de943612de2f32f449e09592433ee30e32ca49aca17b95c3578aa5007d8780c6c2acea782520b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ce8aa490eaf0c321b872b6a4ced13dd

SHA1
d4a5fca35e584f060dcc12973bdc6d542fbdbc13

SHA256
ee15ec2e1eea3463582e2ba8df358ec22be7e049fd9abf3203c4e846be249aff

SHA512
d312986e82091f401d752c2e4f0e41a04b0ce04a04f67a9c7349726e4eb2abd294fa340c68873c45d5c0fe1a70fd979e10f602e78fd5d7d90fb5d4a969a0cb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp.bat

Filesize
183B

MD5
9d9717753b09733ff4a635b7c1259d69

SHA1
218e7649dc6f9bf10fc37b48a9dbe5a7ff5715f2

SHA256
0dfa357a0992979f671262899379dc331cd91e4333b65db001b6cd4848b6a0e6

SHA512
fc7825f2eb6be6335c940d30d3ba440ed4e7b1fbf9a6e3b2dcec26bca00d7543638f52ef5bec034ad93bedc4976b68f7a2f9eef19547d0f8e7f592f5706716b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c3b9b218bd8437eaa4f8e3d8ed137de4

SHA1
f5f8ae65504dec1510c0ffd7e95c9fd128da12f1

SHA256
338edf8902ec22e1fb89b25a920b95eba13eaef482531a2487f6bd88fa0d09fa

SHA512
bbff7d72a9d6d86da39e5b6bd3a3b5cc5923fad8f514ee28e2e5028c8826f59e205a07be827f2399d32bfd57e615fe804f42fbf84c00831c2a077885d44d6bee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5ce0513e02f435fc236364d6e0d1f21a

SHA1
c0c0c0e83f46fcad750f3cada98096bdf0014350

SHA256
6d9c828d253c84ca7cfb87a777fba64657cd450d008b6a450af42b54d79a4c09

SHA512
a9a66600add944ea4a147b0b01dac41ca3da42fc4e26acb7791f512ba7d3edaade1627395885c05de5aa1dc6c36b8773485735006210c848cf255bab2a858a71

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 754408.crdownload

Filesize
111KB

MD5
73d99571d3b250a8772f1ce1920f7a0f

SHA1
ee3ae2f4175822198c7b77cbb77a04a79ffd8257

SHA256
0516006e628ec1d216238b1713fd45f9b8b887951a42cc7991f13fd2fdfea32b

SHA512
c0d62388211c8ff336ccb0bc4d48fc0d78810309b64fc67b817d62124b36af58e6f68176d64dfac64a264fc8efc6ad250dbcfaf5c2e22a01c14f277224d04fb6

Download Submit
memory/5348-223-0x000001CD9D5D0000-0x000001CD9D5F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads