zgrat | 3c21cb1b6a535cbdfc874821b7836516ebd20ab8afb94b3c18636780666ff9ba

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AZURE PROXYLESS CHECKER-noAnti_Slayed.exe
Size

2.3MB
MD5

5122f846edafa2010c57c3e898b4a12a
SHA1

83132f608365e96021fe5d2466e3577d959415c7
SHA256

3c21cb1b6a535cbdfc874821b7836516ebd20ab8afb94b3c18636780666ff9ba
SHA512

f53a7469c2d00bd9e8949d6eb69ba7e8a3814d631ee1647fb6fc86c6fe6f9160eca68f9777bdc4721a201ec2dc4ad1234ebc6ddf280060edff52af7b6f1a668f
SSDEEP

49152:KfhNO/E5yqDpXtWqwK75F5745fzSjoZNQPajoNeOyJuhA:Kfh4s5zhpwKdH7gfzScZt0eOys

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral3/memory/1844-1-0x0000000000520000-0x0000000000780000-memory.dmp	family_zgrat_v1
behavioral3/files/0x000d000000023b9c-166.dat	family_zgrat_v1
behavioral3/memory/1132-175-0x00000000002B0000-0x00000000004B6000-memory.dmp	family_zgrat_v1
behavioral3/memory/5064-171-0x0000000000400000-0x0000000000644000-memory.dmp	family_zgrat_v1
behavioral3/memory/4872-222-0x0000000000400000-0x0000000000644000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	ms_tool.exe
1132	ms_updater.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1924 set thread context of 5064	1924	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	136
PID 3872 set thread context of 4872	3872	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	146

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4340	5020	WerFault.exe	86
3820	4872	WerFault.exe	146

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594793137424931"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe
1132	ms_updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 1844 wrote to memory of 5020	1844	AZURE PROXYLESS CHECKER-noAnti_Slayed.exe	86
PID 3048 wrote to memory of 1988	3048	chrome.exe	104
PID 3048 wrote to memory of 1988	3048	chrome.exe	104
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 2156	3048	chrome.exe	105
PID 3048 wrote to memory of 4316	3048	chrome.exe	106
PID 3048 wrote to memory of 4316	3048	chrome.exe	106
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107
PID 3048 wrote to memory of 3616	3048	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 552
    3⤵
    - Program crash
    PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
1⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa5bcbcc40,0x7ffa5bcbcc4c,0x7ffa5bcbcc58
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1604,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1600 /prefetch:2
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3700,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4836,i,2582929314404378519,1357993788355776521,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:1212

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  PID:5064
- - C:\Users\Admin\AppData\Roaming\ms_tool.exe
    "C:\Users\Admin\AppData\Roaming\ms_tool.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:4404
- - C:\Users\Admin\AppData\Roaming\ms_updater.exe
    "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1132

C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 628
    3⤵
    - Program crash
    PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4872 -ip 4872
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
38774e688535cbbec9e11bb4345a458a

SHA1
5c4fbc1176e95e5f34f96f5ed1fbe2b988b17591

SHA256
8c6d1e2fd6cd9f46421b4ba59433c28d319a621e5ad9055e48ae35538e4d9d8b

SHA512
1d6d5373134efa7540a66a671fab14840bcf17575baf1dffbe0201e6611c5124b4fa3f0af9256de1318026d9e195b4592bc2092f272ffd2ce8a29fe4c52cb9bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7caf21e0b43d860f2d0feb5121f4c93d

SHA1
507f9eb41b197daf18b0ffc215542385f7fb098e

SHA256
b226c1891b23e4b813032db9164e08797151b1bebc5e3549c2aec88d27f343d3

SHA512
adb192430a7b0b17dd1cb5e8e25e2c29b9cbbe6c9fc3cfbe37ba6ce7e5d94eebfaa5e5f7fd8693a34655762daf60cb1941bfcedca5f83cefc671fd35adfb0fe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d8953eb9f1497cb76e3a0ded80a39dad

SHA1
b89e85c2b55b9f2d31e3aca88cbcf83aa75fdd3a

SHA256
a4b7d4e6446b19e64ebaea3f9fc354bee8ccbfefe0a8eef2eb3b725368369208

SHA512
6a73982f75a9c2bcac210fe36d11a8c2d05d3630ec5f889dca891a9f48533ab7172d115fe5bee05a2495badcd00ff09ba65367a0656a571eec7f7ab0ddf9b5e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa1ff88e5ec37395be111bd78170ebaf

SHA1
4a20736615f5a46760e32c25c01e70fe90ffb1e7

SHA256
108f77cff262f4bff086d3e70c4acd173f9df2fff66fa2c04376356e17d8854f

SHA512
94b5eeab52de3250e62d1d8ed441b707c47d3cd05663f4727e5d6bc08b758b87800646417e93458b3ce39dbb0a99e50e057bdc498cef324da1ce2d9ea51f63a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3753294d69bc5a89e3749d5467893d52

SHA1
b483e7c121bfab2ae68e89371124b7bdde3ea26e

SHA256
c5f5cf2bfb275f30a03b26291a36cfaad236d99e314c0b6469db4fbc8a8252c6

SHA512
41e2ac9ebc7c319e253f70da923e6f81caf999ab0d9c09147990ae931a211f7edd1c647049d50858d8e44e7f302c326b180617c9a392ef3defeb7c7cbfe3d3d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3da56d57ea86ac4c0e28d30a621be900

SHA1
f946e118260fddb94446a73b75aafa792b0e5e03

SHA256
247b353e711635c91186e23f61f6aab4893d541fc6ff2d2285a8b279365ec369

SHA512
627d8b57b50450ce8c26fb8f033197d4c81d9421b4cc6e5fbff2a3b4053a2953f0e58de8fbb8482178f5b8e29ecb7ab599f4dc4e3a40db3699f4f330d07559c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c46c3c536c0f7266415fb764d0d21f5

SHA1
bb204edbd644fdb2574de511d593d1ae4182d15e

SHA256
9347dc29e9404a74c831adddb93ab04f874b274c52f56d64365b125c729aaebe

SHA512
5a8bba7f3e739b5f723bc8ce2d43c96e5b58e8692fc3bd2922cb7a475fc44edf656b5dcabd9cf40ec64798d5aec6aaf3609176dddef5d44dc4bb419a01038131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca749ff41154eb3a11f48b2779a990a5

SHA1
e9a16223b077ec35f333d74da4bd53e11b406652

SHA256
be0eb7532298e286ee572043fb6c12804bde942e4f959760f7ba7da3b0dc184d

SHA512
aaedb4ecdf9e29c58486ae73c6fc7ccdd3888c016275721d733de436146ab968c9fcc64581d88da287dbeafc4fb9086342f3a608263d3f4ed5edcaee430361e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c9b407e99558aa40ef85ac6b36bcd5d

SHA1
74f07fb45c50f62e4adb3ffa6975da8c5e4bc8af

SHA256
67effe44deedfe71be4ec2cae5906de19f3e43bb9087bdbb3b92101f741b0e68

SHA512
3e2931715502de325ce36daa2f1d7bc530095e19b6ba71a4c9b14e4b37a4db48e8249495e11f4397bd0671744b21b66ae095960b68cde94e8cf1c21a287ef0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f243136d9cd43091272df3fcfba5b59d

SHA1
6fe6e404290ab3aa68613bba49855bc3aa722f79

SHA256
be32e32afdcfda8ecde4db79b8e950a33004dd24a389d25c700619d58623913b

SHA512
aa7af96059a75511f5bf1a3354c3a6f203ae519305e5f0c6d3da166f2336db698ba18ed8c4e9866700496255c393668de325534387a3067ddc49902378f34009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a696e2894f32c4958f45796b84c490e

SHA1
c485583fe814656b11113e13cb1706070e871b55

SHA256
dab3235c8ac8cfea834435e04702662e75432437f32cfbaf8016bb99d0f13088

SHA512
72a9c0c78cadc9186fae2885572a239daf577046842fc8985b2f7a7d0cc30ba4c5d601b4ee6068a4941a7ace202bc057cb969df645bb59d82e880316f69d9a2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d74cf03a388e86c47a798bc636dd2871

SHA1
bee91a9f7ff5b8bda667875fbe41c0470e0cfdbc

SHA256
b7cf2ce844af970370a4e7508ed41ebe6f0a902f6250cb8fe434db5585444eb3

SHA512
1e4dca943f052d0ea0f6ece130c331f445df382770c28dad0998a29fd9b7e05e1632e75fa927d0169e03d42fdfe48ecc675593fd8f84720d04cef62051978633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ec90cf07634e0190ab51965b12262adb

SHA1
2c58817172e36b3446a790bb787e8d437a7a8fc3

SHA256
a27be87684c4ffd6f1b0214def8bd6a3160e62d7a3ec25dd3f90e7729e58b9ca

SHA512
4121a93b15cd271df38386fa775ef83947b24e978fdccbeffcfd79faa8996b0b7c672db079c39f7012f4b03c61c5d4ce38444b84fd722646475b07d042e2b244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
650979d1540f8405c76b65ab584a39ce

SHA1
e94ad1246a0b612e7424a3fddee3ba4b3e284356

SHA256
59391fcd2cc7a651523119725c984711836abccb7d7b5c3b16724381bb426419

SHA512
ef4aaf23fa034fd6a8e618c78bbe0a03768ab237426d56ed72c119d9ef31d1fb924df46f6b8c320d8f95460d2d169bec480b20467a001a44eddf30f66b584a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
2fe94b54a797bae0a8b8464390cd3fed

SHA1
ee03550cdebd6bf6d81a1246cc6b5eba8132f5fe

SHA256
81d80beaa5ff523d3cb398f4cbb1b9339ea4128fe3c0714d6cafbff4b58f05c1

SHA512
8a6a53932d18bb0c6793994c008be14f6a2f4eb4ad1f6782c7dded80ea073ed382c06ccd35dec825f79c3b441a94d53c3dd526e08b2511f0cf40ce347af372da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AZURE PROXYLESS CHECKER-noAnti_Slayed.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe

Filesize
11KB

MD5
f8701952b62a7e52652271a20b824128

SHA1
82292b1cd54afa277116b42f4b1c43c8933478f0

SHA256
5b0b886143ffe9f5c5750c9b171656783668b655e559ea95d002a265586e3413

SHA512
5acde46db767cf11ea5183007542fd67e1512ccfbcc37efdec685e2db369840a767981b0996dbace0f40602ada0a5c0aed39019ce06590151cd59f0dfa5d68e5

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
2.0MB

MD5
31e5e3ac5a03d60d67188b6b0c3d152b

SHA1
41e831bc8b0c314a46d17492ded7b6b587d66db2

SHA256
dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467

SHA512
64837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2

Download Submit
memory/1132-185-0x000000001B090000-0x000000001B09E000-memory.dmp

Filesize
56KB

Download
memory/1132-191-0x000000001B200000-0x000000001B20E000-memory.dmp

Filesize
56KB

Download
memory/1132-203-0x000000001B6D0000-0x000000001B779000-memory.dmp

Filesize
676KB

Download
memory/1132-193-0x000000001B570000-0x000000001B57C000-memory.dmp

Filesize
48KB

Download
memory/1132-189-0x000000001B1F0000-0x000000001B1FC000-memory.dmp

Filesize
48KB

Download
memory/1132-187-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/1132-183-0x000000001AF70000-0x000000001AF7E000-memory.dmp

Filesize
56KB

Download
memory/1132-181-0x000000001B530000-0x000000001B548000-memory.dmp

Filesize
96KB

Download
memory/1132-179-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/1132-175-0x00000000002B0000-0x00000000004B6000-memory.dmp

Filesize
2.0MB

Download
memory/1132-178-0x000000001B210000-0x000000001B22C000-memory.dmp

Filesize
112KB

Download
memory/1844-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1844-10-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1844-1-0x0000000000520000-0x0000000000780000-memory.dmp

Filesize
2.4MB

Download
memory/1844-12-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4404-174-0x000001D2562F0000-0x000001D2562F8000-memory.dmp

Filesize
32KB

Download
memory/4872-218-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4872-220-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4872-221-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4872-222-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5020-7-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5020-4-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5020-6-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5020-9-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5064-150-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5064-149-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5064-147-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/5064-171-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download