njrat | 3f59444186757a488078438ecc19c6f8e37e14e682d2ceda2c65582ab731f3eb

Analysis

max time kernel
73s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sleezy Perm Spoofer.exe
Size

37KB
MD5

169ca703920e9eeaae4c118538493a3e
SHA1

21f069559e4b606423b587b7d8ddd54a8eb0cbd2
SHA256

3f59444186757a488078438ecc19c6f8e37e14e682d2ceda2c65582ab731f3eb
SHA512

bcdb446ecb9aa4f902f0383005acfd08029301c6c1da19835e79763953ae9c600e0ed80e4c67bf27cb9b1785613fef561278e93aa79f57198dbb0a556aa0eeca
SSDEEP

384:P+QnVSikm70NVtv/Vey0bM50vtEsuq/aZrAF+rMRTyN/0L+EcoinblneHQM3epz+:mo/O1VV0bMuWlqMrM+rMRa8NuaXt

Score

10^/10

njrat sleezy discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Sleezy

2.tcp.eu.ngrok.io:10394

Mutex

5f55366198fbf5f44b30c59e431ef9cc

Attributes

reg_key
5f55366198fbf5f44b30c59e431ef9cc
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2820	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	Sleezy Perm Spoofer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f55366198fbf5f44b30c59e431ef9cc = "\"C:\\Windows\\Sleezy Perm Spoofer.exe\" .."	Sleezy Perm Spoofer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5f55366198fbf5f44b30c59e431ef9cc = "\"C:\\Windows\\Sleezy Perm Spoofer.exe\" .."	Sleezy Perm Spoofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	2.tcp.eu.ngrok.io

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	Sleezy Perm Spoofer.exe
File opened for modification	F:\autorun.inf	Sleezy Perm Spoofer.exe
File created	C:\autorun.inf	Sleezy Perm Spoofer.exe
File opened for modification	C:\autorun.inf	Sleezy Perm Spoofer.exe
File created	D:\autorun.inf	Sleezy Perm Spoofer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Sleezy Perm Spoofer.exe	Sleezy Perm Spoofer.exe
File opened for modification	C:\Windows\Sleezy Perm Spoofer.exe	Sleezy Perm Spoofer.exe
File created	C:\Windows\Sleezy Perm Spoofer.exe	Sleezy Perm Spoofer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sleezy Perm Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sleezy Perm Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe
2440	Sleezy Perm Spoofer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	Sleezy Perm Spoofer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	Sleezy Perm Spoofer.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: 33	2440	Sleezy Perm Spoofer.exe
Token: SeIncBasePriorityPrivilege	2440	Sleezy Perm Spoofer.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe
Token: SeShutdownPrivilege	320	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2440	1300	Sleezy Perm Spoofer.exe	30
PID 1300 wrote to memory of 2440	1300	Sleezy Perm Spoofer.exe	30
PID 1300 wrote to memory of 2440	1300	Sleezy Perm Spoofer.exe	30
PID 1300 wrote to memory of 2440	1300	Sleezy Perm Spoofer.exe	30
PID 2440 wrote to memory of 2820	2440	Sleezy Perm Spoofer.exe	32
PID 2440 wrote to memory of 2820	2440	Sleezy Perm Spoofer.exe	32
PID 2440 wrote to memory of 2820	2440	Sleezy Perm Spoofer.exe	32
PID 2440 wrote to memory of 2820	2440	Sleezy Perm Spoofer.exe	32
PID 320 wrote to memory of 600	320	chrome.exe	36
PID 320 wrote to memory of 600	320	chrome.exe	36
PID 320 wrote to memory of 600	320	chrome.exe	36
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2900	320	chrome.exe	37
PID 320 wrote to memory of 2996	320	chrome.exe	38
PID 320 wrote to memory of 2996	320	chrome.exe	38
PID 320 wrote to memory of 2996	320	chrome.exe	38
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39
PID 320 wrote to memory of 3068	320	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\Sleezy Perm Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Sleezy Perm Spoofer.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Sleezy Perm Spoofer.exe
  "C:\Windows\Sleezy Perm Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\Sleezy Perm Spoofer.exe" "Sleezy Perm Spoofer.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5fd9758,0x7fef5fd9768,0x7fef5fd9778
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1320 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3116 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1296,i,7369366766642472538,9079818524263673506,131072 /prefetch:8
  2⤵
  PID:2444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2764594a-5716-4e2d-93dd-0d4f38049135.tmp

Filesize
328KB

MD5
0d19d6b9ae09ff02ff5f665d02b414c4

SHA1
6947519822a1ae7f470df9ea787002cda0118246

SHA256
0c90883d5c9990a6c62d0701e00dfe70d94b1e34c18bc34e657c7094724868b1

SHA512
6fce1ce40495146161a9a4fc65647de195d68d1de3250a8f85caeca38a72a629133ccbd5cefbb49d74c65d1812c439bb5c93eba866b54a8ac50b46671900b8a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
12b53b0b1ff2e04c353c88d619904b7d

SHA1
d93ea2456611a13614fea821ee11f879024b02f7

SHA256
5a1136cb642d9c03b4c31e80e01fa72fc040e522ce3fb4a5f1cf77989415113a

SHA512
2d2693b4bbe885bdaa40e499065dd8a890b8cf8ed74120069f0b07d7c2675b3066ff5174d2b4389f17af7d93ccfb459dc408819593b747ad1830c6ce69cf7140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9a25f4298b045b0f2d45dddc21f1b6bc

SHA1
d2a6fe958709a22a46708e3175c0c35e012909df

SHA256
7ca470403c624c97efd0fc66c213234c28d0696102d414bcdbb5e1cc9f15baf9

SHA512
154a2548b5bd94c20511c090e0ca2fbe1f6246286add98b1c8019b655f34814e9c70cd0bbd2ca5e4d797b33d21e98fa6cf00b121f96ee69e5156eaadfa266e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
19f0d054a9b0842003d77d945b89a7fb

SHA1
163c75ed5c2bf63318fb0896dee3161f2cce87a4

SHA256
0dad710a1fce9d44022f62320beef38293fd636a76b161fa4fa1c135f64eb0ba

SHA512
f1ca430097b51df56f7af78902783fba89c96762ae928246b8dc766c017976e1c2612c15f6677d34649bb2108d1d6ff11561ceff2cb604ed3da02c475e271870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b8d0195b7b7229033aa00468e59221d9

SHA1
e0c375fa8358faae2a8f99a952adb8042bd3a4ae

SHA256
f463ddca15e63b4c43951a72755d240ab76d7e51b21c19416169e6fd013d87ae

SHA512
71bd17e2dec57fd0e4584294e16db216c3d51cf59234d350fe03663a36333f48eca50ac2ed90f4aed92e94f8c0490cbb07929beea07abb05200846c2faf81f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
328KB

MD5
2465bc99056b4c114d2e936ec7567220

SHA1
d430b7e563b58d3c51f20876cdeacb0ca23ab4f5

SHA256
70f61ef73b49276fbcf74552fe6fdf6b00fed3d6b4c54bc5ad5eda4d69f23b53

SHA512
d95ea6b954cd74d32754a5ec2cbe0572208efb0c32e5a6f36d16e8022a4838896f3627f9780eef2279bf729eb0ef624673e6e6341c46b4dc0032ee4f3cf93b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Windows\Sleezy Perm Spoofer.exe

Filesize
37KB

MD5
169ca703920e9eeaae4c118538493a3e

SHA1
21f069559e4b606423b587b7d8ddd54a8eb0cbd2

SHA256
3f59444186757a488078438ecc19c6f8e37e14e682d2ceda2c65582ab731f3eb

SHA512
bcdb446ecb9aa4f902f0383005acfd08029301c6c1da19835e79763953ae9c600e0ed80e4c67bf27cb9b1785613fef561278e93aa79f57198dbb0a556aa0eeca

Download Submit
memory/1300-0-0x0000000074131000-0x0000000074132000-memory.dmp

Filesize
4KB

Download
memory/1300-9-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1300-2-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1300-1-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-19-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-20-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-10-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download