eternity | hxxps://mega[.]nz/file/gK8khIAD#FnNSOlDQmOeQEZNmD_YxvtJQfQwsZe2YnPGdQlNCRTs

Analysis

max time kernel
164s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/gK8khIAD#FnNSOlDQmOeQEZNmD_YxvtJQfQwsZe2YnPGdQlNCRTs

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1344-251-0x00000000006F0000-0x00000000007D6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growpai.exe	Growpai.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growpai.exe	Growpai.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	dcd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133537334810278708"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1844	chrome.exe
1844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	loader.exe
1304	loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 5068	3812	chrome.exe	85
PID 3812 wrote to memory of 5068	3812	chrome.exe	85
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 456	3812	chrome.exe	90
PID 3812 wrote to memory of 4840	3812	chrome.exe	91
PID 3812 wrote to memory of 4840	3812	chrome.exe	91
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92
PID 3812 wrote to memory of 1440	3812	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/gK8khIAD#FnNSOlDQmOeQEZNmD_YxvtJQfQwsZe2YnPGdQlNCRTs
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d46d9758,0x7ff8d46d9768,0x7ff8d46d9778
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:2
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4968 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4468 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4828 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 --field-trial-handle=1868,i,10358589664712275124,16233688637683754813,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x39c
1⤵
PID:2364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

C:\Users\Admin\Downloads\Growpai 4.5\Growpai.exe
"C:\Users\Admin\Downloads\Growpai 4.5\Growpai.exe"
1⤵
- Drops startup file
PID:1344
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Growpai 4.5\read me.txt
1⤵
PID:1868

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Growpai 4.5\read me.txt
1⤵
PID:1928

C:\Users\Admin\Downloads\Growpai 4.5\loader.exe
"C:\Users\Admin\Downloads\Growpai 4.5\loader.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Users\Admin\Downloads\Growpai 4.5\loader.exe
"C:\Users\Admin\Downloads\Growpai 4.5\loader.exe" "C:\Users\Admin\Downloads\Growpai 4.5\Growpai.dll"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ab85dab5b4d3d3aca321dc31fcf15cf3

SHA1
ce6695cae19ef6993efd2005b12a3823d7f04da0

SHA256
eb0b24d95fd772f9b2236a0830f55b594ef3a72392ece4ea4ed7a5b4947b12d7

SHA512
75f59729f6a8e3ccdf66cfd55ab017dc4495072f29003f0ea2396d7997ab1bd3a9586a9bb17a284f0bef1746b3eeeaede0fe6dbb4a393bfad770812c463c6136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0db69f7b92e951de4d39aa7246f39926

SHA1
a8909451a5eaca04694a43526a47dbc2aed47b1e

SHA256
8283053214fd1963653c5c5b4e55e77d5805767b8658822b5aadbd718a9f3100

SHA512
cced6b17e15bb0f0d4cb4d5080ff5964a5170c2461431096b07cb7524f468d5dc9de2d3652bca0af8c90ad6735a97ba595e2702d70ddf1918672f41bda089f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f49286551e0269dbfff75bcd5056f3dd

SHA1
3d197fa55c3b297527cfe3949d327e9c0b45e844

SHA256
4432896fd9cc2b01b2e2bae07a25e920cb21152c200775668fa778ed241c50b7

SHA512
b6e3d2c7e08f2308bae4ab2d3f5ae882f73e32d34657d3ba555553be9a79dfdae8384d3d0b7abc0c7522269d4433d9d7da7dbd37ae5c00ab9028346aa8e00996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
3e00aa13fa79809c716cefd09510d0fc

SHA1
4f1c666a63d4758f42ff39c9a8893ca2b73c39e2

SHA256
5814ed1e58b41bf5520d159eeced092e63a18c2fc732a27234ac1cdf49170d3d

SHA512
e5e20c46437120b9c25f510a7b7ea657daf1f343eb8fdabf12798b86c9080a59021e551df1c29f41e3dc6d4fcf2a76e501a716d9e0c756095764ec677756ba73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
72965a48df6d1fc3e33fcfe2a2abb0b7

SHA1
1d60783f1643297dec12a487e4315cc0f437cc7c

SHA256
cd45fb6ca5c58f43ba418fb343bc7ed455c1bb49a050d4f4f7321c5cf558ef5e

SHA512
13490d5c90e256f9c90600fa1aca5a5e4034293ca3c85ec781c0e105e0b48fbd0f9a79e6ffe6126c5f94c0f644f120dc02db13de9ff16184c082d4b525ec8e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2fa336f4bce2b4a5cc82a431a8c332d3

SHA1
ee1e5d890ee944d492ac082b0f50636477e5973c

SHA256
b4bec8106ee69cc0a0bb8d11b3b1451007991f4c07db829695745020a7ee3bc7

SHA512
23dc1df3bbe34fd112d023efbd48db77b006541d971069c58880e1b3f8e01476ded9a7bc47ae039591ae915da08af8ed11d65e39ca54aaadb750b8f9c83051c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e9a4a3284a2ec7937a2e03fb68a611d

SHA1
eaa7ab4c081f258e07a05bfddb289c0d0d8c231f

SHA256
a4aace95c775e9d3cecf57d74dee5f978a8bad33968a36ba3f34902f796175dd

SHA512
942e06a54dacd5e4bb7ceed236c54bf987185cb569c4dc028157f695b67ea3ba6198529cb42863ff1bd23bdb8a7d90658db18abd9d1d5e3740672bbb87c0891b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7475be477eac75bf9363936b2a7f341c

SHA1
9ac8986e8674869dfa2d7af32a122895247ab5da

SHA256
1c86fd99d50a62c827c2712ec3613fea574bfe525a604cb700ce92aed29ffcef

SHA512
5219f56176936f9cd67453fc80c6ad40e83a1c9f7d81c2179bf105d94d77ed9ecda404f90c5e0a27e535d1041a475df3ee41916b11b3a8ef6998b3d328aaaa88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9652869f3ea8d35ac4ad945cede630a2

SHA1
5f030ead59d2d05e4ee4286fe2481755453a7461

SHA256
54d3ac2d0d4ed35d5f3aaa49443a4e297c04c6d16cbeea00e378211fdcc7550c

SHA512
2fbeb5bb25899dd3c28762d6c1c5e54e753e14bc631c137c07e2256565e46cd17c935016557b6f1f91597b9d00ec1221fdd8d9fd891a0fe839c5cc42b7174636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c5ff.TMP

Filesize
48B

MD5
df4f76397f65d02c4461ae0c330e6cd1

SHA1
389c6f8ace651023867d77497d6a4b4a8ebc6a6b

SHA256
ddda8579f9cdadfd19359dc71159df1101f8cfeca181f1d6cfd066ebcd894476

SHA512
09e35adfd59b64cb58a9f1e2d002d39fa0dd8bcba77aa05c96977a1d24373379133093d40ca08cfc092c2bf5aa99996c9ae744659a0e0cc43118c3f1c79df9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
156fce47d9bf8cb125271772fe4e18d9

SHA1
89e25b24ebf6ebd6d042f2d4a52059504dbac9a5

SHA256
413fd772d52c1e3eb708e643daed863704c49eae18616a253107d1ffa13ad444

SHA512
b3747b15186d783c9fedfc2a4b062a3cb218dfac379dd6f084e49815b881ed044e23cf5aa24734b2a224a82a7c5d06017f58e4ded539aa52c1af7c77e89836a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
91d5b81f0afc4097e1bdb7ec79eb4d0d

SHA1
1f8817a1046b6bc98183551ca0c66432ab58a8a2

SHA256
6aca480b488c9a19fdddcb3973cbc53779717d57a27b66733dbedb4211e543bd

SHA512
e6a6e40f862ab1f97ce08b26b3dabd4f814f736e3f6f4d75382d325a3f71c3c59687e2869d144d9e151f31fd0c08aa1f47103d3b5d686f465578b3f688bd50cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\Growpai 4.5.zip

Filesize
5.8MB

MD5
eb35cc484a3fdc791c2f7a5ae46dc40f

SHA1
3bc5a405d9c365ff5a5b0a757f4cd7287309143a

SHA256
654bed2e036794c0964ae9212dfb9d361aaacf3aef6d0abab79c7709ae510b2c

SHA512
b41af5576aca450e223a311ac08c232e67beb38bc2c0c3dec88feca8e743cd602132bc951e04ff3a0cb47be6e70721b5da2dedcd15b835a24aae43f95ca5f8ea

Download Submit
memory/1256-281-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-290-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-292-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-291-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-287-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-289-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-288-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-280-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-286-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1256-282-0x000002034ADF0000-0x000002034ADF1000-memory.dmp

Filesize
4KB

Download
memory/1344-252-0x00007FF8BB250000-0x00007FF8BBD11000-memory.dmp

Filesize
10.8MB

Download
memory/1344-253-0x00000000028F0000-0x0000000002940000-memory.dmp

Filesize
320KB

Download
memory/1344-265-0x00007FF8BB250000-0x00007FF8BBD11000-memory.dmp

Filesize
10.8MB

Download
memory/1344-257-0x000000001B480000-0x000000001B490000-memory.dmp

Filesize
64KB

Download
memory/1344-254-0x00007FF8BB250000-0x00007FF8BBD11000-memory.dmp

Filesize
10.8MB

Download
memory/1344-255-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1344-256-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/1344-251-0x00000000006F0000-0x00000000007D6000-memory.dmp

Filesize
920KB

Download