toxiceye | 6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75

Analysis

max time kernel
134s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 18:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

111KB
MD5

e3d580a17a351366392ec9e2af674524
SHA1

354e8f441c2fa510e1b3ecab222280649a7efb9a
SHA256

6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75
SHA512

a7e2726a2b28a39f6624f419ab9194b4c8e3d4c117e324c2719b3f944c5262cbc064df8989d34b984d8541767327d18381adf6678e4445dc8a49afe0a0824309
SSDEEP

1536:dn+bAQACiEXM91qQIwvL9x1Cc0Di4OybhDqI64QW6zCrAZuQPEDrL:sbaCHXELrJp6bxqH4QW6zCrAZuQwv

Score

10^/10

toxiceye bootkit discovery persistence rat trojan

Malware Config

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	rat.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rat.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4616	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5096	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808352056333513"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
4712	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2364	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
3000	chrome.exe
3000	chrome.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe
2364	rat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	TelegramRAT.exe
Token: SeDebugPrivilege	4616	tasklist.exe
Token: SeDebugPrivilege	2364	rat.exe
Token: SeDebugPrivilege	2364	rat.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 2280	5108	TelegramRAT.exe	85
PID 5108 wrote to memory of 2280	5108	TelegramRAT.exe	85
PID 5108 wrote to memory of 3300	5108	TelegramRAT.exe	87
PID 5108 wrote to memory of 3300	5108	TelegramRAT.exe	87
PID 3300 wrote to memory of 4616	3300	cmd.exe	89
PID 3300 wrote to memory of 4616	3300	cmd.exe	89
PID 3300 wrote to memory of 1520	3300	cmd.exe	90
PID 3300 wrote to memory of 1520	3300	cmd.exe	90
PID 3300 wrote to memory of 5096	3300	cmd.exe	91
PID 3300 wrote to memory of 5096	3300	cmd.exe	91
PID 3300 wrote to memory of 2364	3300	cmd.exe	92
PID 3300 wrote to memory of 2364	3300	cmd.exe	92
PID 2364 wrote to memory of 4712	2364	rat.exe	94
PID 2364 wrote to memory of 4712	2364	rat.exe	94
PID 3000 wrote to memory of 4276	3000	chrome.exe	116
PID 3000 wrote to memory of 4276	3000	chrome.exe	116
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1036	3000	chrome.exe	117
PID 3000 wrote to memory of 1808	3000	chrome.exe	119
PID 3000 wrote to memory of 1808	3000	chrome.exe	119
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120
PID 3000 wrote to memory of 4504	3000	chrome.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9385.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9385.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 5108"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5096
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd6745cc40,0x7ffd6745cc4c,0x7ffd6745cc58
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2308,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4896,i,6117771145805196158,17105295356537686978,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:2
  2⤵
  PID:652

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\13bcd312-262f-4cc8-bcc2-f11bfd40982a.tmp

Filesize
9KB

MD5
ee56a645c3d8e258265b6f1c29b46fa4

SHA1
299bcf256eb1596d1702f60e47c4682a1d0e2215

SHA256
aa62e865be3a048c16a2ab0c2e5cc2dced0d3bf81e2cbcf691996c77a758620f

SHA512
1a69d0124340602b0401fde58da8ccd4cfef33f8e9a59cd296d991034b43127e722f29b4c51958303dca34640336d42c688cb999185f6b8e49a7766aed7fd0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\834aec65-b905-4fc5-bb4d-06c1a02e4954.tmp

Filesize
9KB

MD5
16015b0bd41439cfff8d8f5dba1e5e8a

SHA1
85182431a556b5dfcf7cb1c6425f2dfab88462a3

SHA256
cc882d299b103a82a0dc2efe62689b850bb7ccf11627de32cdf85b9758ec8f31

SHA512
62c1c3cd09769d20eb195fcb7ea88826e9d64f1e675c0b7b55d32b90e946200a513e16ef5803ccddf8d927c1380353ab659740e10635c4604e0619e21dff206a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cfadc5ff4bd0ddbf8030f942311c8b72

SHA1
fa92049a0c2069b79e0cbe9e69e00b6e71e1352a

SHA256
2959dc41770ddfb0ea1b15921b965d6db3296a820117cc810fc9ba97e2947446

SHA512
4a359a07a32d1ef8ac9777e814dbaf9826ea1bdc60802a55126477da4cd7121973f9f47a58eac495be7eb3bfc1bd0b2bb9d949e781b3fc4295b552c8301400ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ff84a49f4adf5929eacf11900972aa59

SHA1
36d0f084628b85617e19bf0e1660ae73ca011bfe

SHA256
cd1435bcbd21890dfedc648d9278bbc5c0f0197691eb6c26bfd1906c22ffbf3e

SHA512
a8a9e2f2301a107dfb359b92248111189a78f398b650318a18b5519a92ba0480bf24bb18193312d22d586b2860869be696a1f629aaeeb08262f6f72e4f4ec1b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f44759ca60b667be11652ae11dd515c5

SHA1
545e368c3753bc83ff843b49ab14bcf7e75f3e7c

SHA256
f9713b6738c8ad13aa23bd975769c49198be1491f28a193396cc7180622b1b7c

SHA512
e324a452b7bba78efae12c6de25f723c27f3d68ad518c805055f41e5ae30a901484d898148940176adbed2c68a22f5cb8ff502edfa824690c052ade0fa2dad16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
919501e789bd77a37041b96c7ed77d99

SHA1
44fab6b260ff1889c9dafbaad50df0bbbf2c0eb8

SHA256
a9ed0c23e055b64c34a20f701338531f5f498f3171b542967bc02ad861992def

SHA512
c8b5f390938b52e0886fa5be0b690ace677dff886ee13c073f896db9a0c3ba6087107dac350aad767c08878e21319dc7992b3f9f699b4f02b78c7f1242255a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9881a8e223c49189bb6597aba893a48

SHA1
c03c24f40e5ddc6b2b2ebd0c1e45ed4d7de1dc6f

SHA256
c223e006697de4ef577422ad13d23ab938bdc0af5333919255b1bea8bdfba650

SHA512
d2fe69d056f2a3a3569c38aa117292c2661b0fbe88d40abfc292bf183e8178c9b6049fc82d72ae777146dd81777b5076cabd4790a0e9b6fddf781cc03c1af303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
edc5685d5beec8318cd901128ca707a1

SHA1
83b18a25b5d02b81be1b5a52e5573fd90b982160

SHA256
81e55717cfeca2b2868b179762ca10e8d7a05107c01da8dfdc6bfcd6c01c6bbf

SHA512
0a932f47579f04c0bfaf18a1232aeac4f605df12a5bc6abfafc5aaec15403c32a68131f9b5ebf07e9e5a481cd36ca9282e182eba8aae3c6965185ee1464ce128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c99f8d5acf03610fc6e5abe8892c6b9d

SHA1
38aa617bdb47b1095772c9909e0d5def0ab6b012

SHA256
3fcfc2974c4ae1ee9bbd25190ba62cc50aad9147879a7c2a36c2d00796eae17f

SHA512
185f4c1d46cd9d1b093cbb910c77e7ac51a24c521a7bb7a2356886ba041f339a6ad22df50233a6424d84492d22191cec77a092630b222579f7686685acd1ee2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
eada3aa54f403e6d8a9c95bc8f08f44d

SHA1
082f6bc6810db70ef645b6ecdd401ab09e6c7e17

SHA256
4b5547dff76b5910efe5cb667c81b1756b67873495aa6233df79dc7895e1dae8

SHA512
0deb13410627f1a0004e107b4b967ae01efe52cf7f0bdab71f55f98e6ce6573a33296082e759804344ed7758317c62f8ed6612e59aeac988dcace5b5f27dc4de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7c14e9a195d0547e4e49eff7e12522d7

SHA1
63dd630832c0683567583d28c959faec47f9582b

SHA256
48531d7245f8d71be82dca7afe73a8a122a036164afa57144969f552adb4d4e6

SHA512
4838c715b476fe1fd923609d999e167c4340145160c771fcc75cd9966e142e43d0ef3c919510ca6e4a7a1a2b054eab465d6c8499f06b5a1c9705eac88cb5cf20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
9a337bd62c443a40b672065d0b01a260

SHA1
7b190ee97820715175102e449cbf83ba84932320

SHA256
30b030434f96da82c5a87afef00b2d52b48a96d34f898dee56d43d0754a6be81

SHA512
a29403dd4cd9e2f40bdd8b18f5d8088b82cd7a357b80c1c2e545a9e0154d6f75d0e1b1da54df2ab87d10e2e63ec65d1540ff3fb40b0a91521871431a890b9fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
933a902aeba9f4bf1dbaf08a6fbb4cf7

SHA1
6ca12e23e4f4b7310b34bb14e32c73dde0684a8d

SHA256
06c8527dcfcfbbd15bfe145484500d8776a440f5e76090f6751a3e8772d6ac7b

SHA512
82d1ce64cc69e1ee93c160e4e402bbde34b5c83febd4509aaebd30e95ca59bb3cd8ad16590d4ed6853820a0ddcea513d675859842137f10d78f9711de64b7838

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3000_530329778\18abed93-1667-4b7b-b512-be1f68c04c96.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3000_530329778\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385.tmp.bat

Filesize
188B

MD5
94827e5a23ba8839d111d156597ffab1

SHA1
da11465a3096bb2c1ff230fb5995d728d369a90a

SHA256
098c0bfd8dc057b67fe4753f5cb218878d1115edf8c5f6a11560d72db736293f

SHA512
3436bdb0835d8a8486cdaf5ec41ca4f2c853716bf16c48ee036369338ee1b290bac17c9f562e354a4955df60143232ed9b462cfc77808f5b3f4b871b31de76b7

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
e3d580a17a351366392ec9e2af674524

SHA1
354e8f441c2fa510e1b3ecab222280649a7efb9a

SHA256
6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75

SHA512
a7e2726a2b28a39f6624f419ab9194b4c8e3d4c117e324c2719b3f944c5262cbc064df8989d34b984d8541767327d18381adf6678e4445dc8a49afe0a0824309

Download Submit
memory/2364-11-0x000001A4D06C0000-0x000001A4D076A000-memory.dmp

Filesize
680KB

Download
memory/2364-12-0x000001A4D07F0000-0x000001A4D0866000-memory.dmp

Filesize
472KB

Download
memory/5108-0-0x00007FFD6D403000-0x00007FFD6D405000-memory.dmp

Filesize
8KB

Download
memory/5108-6-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-2-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-1-0x0000014962850000-0x0000014962872000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads