hxxps://codeload[.]github[.]com/NoMoreFood/putty-cac/zip/refs/heads/master

Analysis

max time kernel
358s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 17:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://codeload.github.com/NoMoreFood/putty-cac/zip/refs/heads/master

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
75	2808	msiexec.exe
77	2808	msiexec.exe
79	2808	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133417778150923714"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3348	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4804	3284	chrome.exe	78
PID 3284 wrote to memory of 4804	3284	chrome.exe	78
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3388	3284	chrome.exe	87
PID 3284 wrote to memory of 3804	3284	chrome.exe	88
PID 3284 wrote to memory of 3804	3284	chrome.exe	88
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89
PID 3284 wrote to memory of 3308	3284	chrome.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://codeload.github.com/NoMoreFood/putty-cac/zip/refs/heads/master
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84589758,0x7ffe84589768,0x7ffe84589778
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2868 --field-trial-handle=1880,i,15593060600997150532,14659572767447633198,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_putty-cac-master.zip\putty-cac-master\binaries\puttycac-0.79-installer.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b338ca7369863fada94a2dcfff9af02e

SHA1
ebf8559e3b583ef72b55e5764d9a37b8f02084eb

SHA256
fe7dab9582a26331f248cd0bc29808ba95d677f25e2d60ce2b1cdefa7993224c

SHA512
bbeadff4e23e80126716d03c77924af018e9d000b8a7c502dd9817c928fbae64bc78a9cebc4dd360ba57ee32d48f8a785f2e71141aba89de36c08f76c0c3f417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
24deca2e62e6ccde77963cb7778aeab1

SHA1
7b0141a8dc5aef9acf777e4af9e33a50b31d2792

SHA256
0b5cfdcc273c62195ea9ffa305758020be53fdfa0a48652b357ee157a07de34d

SHA512
d74754b43488b7ca8287347ce9a8f3e03f5c78b3df24a27a30d4d08c1c6beb2dabd00e9439ac67b5685e3400a63765c9737b4feee84cba0ee0d319f7f46fc41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5122f0e23ae36e7f1da658bc3a542b11

SHA1
551bf8ec6cc25fe30e0ec13b6ae590a80d76257f

SHA256
ad4eed72cb32b25b92fa7abfab6933d43447a22538c6b8fc18d764c588fa0992

SHA512
b24be8504e40af1bfa4b1f8a71f10105c6ce444584e4e05cfda0d09bd1933f96cf49e40f09cb125ea80d6d31980f9f905d9c57a5e0c06720c3c77bbd27ae18fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
82cca78c5b9aedc9675c6350bb88aae0

SHA1
3e7003732b4de6e8a80e7965e6ad0efda130a804

SHA256
29e728cbf95af2ff3b6994ab52ca2566c516ea22a9b6e994c7e8f9904439e0cf

SHA512
bce8dd69119068f0c0e3af98bffd2a912a78b43914a8cfeb38e2da7799421e82408682f9d51d23c71250a79d9765a3aa8600f01f66d8ce0b7daebe1cb7cf9dc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
3cf4caa6d708b96d958171db3c69ea75

SHA1
13a33e81da7f2ad9d90848f00fa9536d0854baab

SHA256
910eb89b2b1b5c0a2cf35eee7de358c77cf50f96bc0c69221a129fcf38cfa364

SHA512
960dcde873a007b51f0417eadfcbf55499f9648829a3410de211c405202b92de11e2c7993a6642a20b524b38b7ab01363127a90b73297a5676130d484cdeba5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e2b83d8dbcb211961eac58a796bd2fd6

SHA1
ff9050990e27a7f21687f08d0b5bdb7c48009b84

SHA256
e8a6309a2cef2a440c40d3e26f0a7ba6d19fa0e023d1114b4eabe40172ee0572

SHA512
94f9daf99d52d3b320a8054e158540c7878f470ec6bf7d3a59527ce00325d55cb7011ae39891e3b47399bed5fac7136b738fcec1c83745fd738fc867946109ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a2c93d5183022e87db7cc69fff2681a5

SHA1
e3ea5790e61a727509f1b808fecf333d2b0c8ba1

SHA256
a89a2ddd6ecbb92272a90c17593f5cf7ae12ec16f6c27166160315c778eb91de

SHA512
4920691132cccb2b47708b7e828df40d2ad74c55c19a08ebd58d7108c359f740028f2fee58cd3429cfb7af7c0cc69c211d4484ecc1de6c21201e910edb234b6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8706d4ba4b639568c88027e77493509c

SHA1
bfc41143a75dc1507b3d2040b2b1cca5ef57085e

SHA256
ca86576705568c7921faff44c732caf2506d663a7811be433912ee9123f39756

SHA512
fb462cf567659add8805da936ed71786da695aea804db51c002e9acead4f4256c39d2c36e97daaa57781066ba1b37e0f14a7196d8198c25a8874b29a9ea11f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c664e4fbe00a7851b09c848f0cd34e1a

SHA1
5ae572bad2542d87473d664618c6900792f75184

SHA256
06a9bbbbdd56d7c574a370e014ada4f5a1fbe1b45d2543756e5bcd3603dc4871

SHA512
0b1fac18f57731baee2e504864c0aa4e12dda21ec28933f92b2f76553c5be8df143c9568835c6bbfb8b6b1ec496016503349a07d1a851f53ece690b36d1b58c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f85aeb6f90525383fbbe926cab626392

SHA1
db76f8c72b7cdfa15d5c82c4ed572608ea79aaf2

SHA256
275e60cbfbc9f8e9ea8fbffae8eedd1cd3816b9627cf9c7b5407854cb9bfb2ef

SHA512
b45e8f4d3da70906efac6ddb5033daf59a6afb206a48bebb937787c3311ee996802c8cbcffa7dec8020b1eaed520e70c54ab32c84f2318ffbb9fa1731b2e4da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
195dd298d9b67e7f31864d21af80f32c

SHA1
080523c89b06fdedfc65f39d293575cc7c1eb86d

SHA256
32431f4b3307662ed0ad6f5edf47283a39c2cfd377e6702d66e1b28d2c751c8a

SHA512
11d50b82cfaefd39e5867e2ece562e9780a14827007c71fa56c1eb90f23488aacbccf0fc0493f40d7e12704c4cc62c9880c08761a37c8c9d5a0089774408547c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58c4d2.TMP

Filesize
103KB

MD5
047aa4ed27ebf5a5597952f1f1feae5f

SHA1
9db20966be797f6356b92c42a4888e55462ce4a9

SHA256
0272da30e47b5daae92cff041dcb1704af531da09895f120b14209816efa9a55

SHA512
086393e7c6581fb11244479ca645f7ba9208370dc02645cab05c5f53ead8546bc0beb264645e59041e923ae1bea6b37372cb4056103c14040e03720e432df91b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit