Analysis Overview
SHA256
eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad
Threat Level: Known bad
The file eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Identifies Wine through registry keys
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 20:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 20:06
Reported
2024-07-04 20:10
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
47s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2788 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe |
| PID 2788 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe |
| PID 2788 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe
"C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Network
| Country | Destination | Domain | Proto |
| RU | 77.91.77.82:80 | tcp | |
| RU | 77.91.77.82:80 | tcp |
Files
memory/2788-0-0x00000000004A0000-0x000000000095D000-memory.dmp
memory/2788-1-0x00000000775A4000-0x00000000775A6000-memory.dmp
memory/2788-2-0x00000000004A1000-0x00000000004CF000-memory.dmp
memory/2788-3-0x00000000004A0000-0x000000000095D000-memory.dmp
memory/2788-5-0x00000000004A0000-0x000000000095D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
| MD5 | 32990cfa629b89533fb2a04ae8e966c5 |
| SHA1 | 1438ae4069286ca2174ee15b8c5c7cb169c93f1d |
| SHA256 | eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad |
| SHA512 | 3db1b9d51585a66166c579ac1f502a65f77fac95bbba7d9f497b1c82d585ac6aaf095d69279c99250ca13f04bf9e8f048bf61a6113ab879c3f6cfabae0c5a0c8 |
memory/1068-18-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/2788-16-0x00000000004A0000-0x000000000095D000-memory.dmp
memory/1068-20-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-19-0x0000000000AB1000-0x0000000000ADF000-memory.dmp
memory/1068-21-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-22-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-23-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-24-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-25-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4100-27-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4100-28-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4100-29-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4100-30-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-31-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-32-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-33-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-34-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-35-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-36-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4044-38-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4044-40-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-41-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-42-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-43-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-44-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-45-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/1068-46-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/4448-48-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 20:06
Reported
2024-07-04 20:08
Platform
win11-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\550b3a2584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645971982144456" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe
"C:\Users\Admin\AppData\Local\Temp\eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe"
C:\Users\Admin\AppData\Local\Temp\1000007001\550b3a2584.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\550b3a2584.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c0fcab58,0x7ff8c0fcab68,0x7ff8c0fcab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4168 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFIEBKEHCA.exe"
C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe
"C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1844,i,10037026736497055724,3130966315003766130,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | udp |
| GB | 172.217.169.35:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.35:443 | beacons.gcp.gvt2.com | udp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | tcp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | udp |
| GB | 172.217.169.35:443 | beacons.gcp.gvt2.com | udp |
Files
memory/2316-0-0x0000000000360000-0x000000000081D000-memory.dmp
memory/2316-1-0x0000000077E16000-0x0000000077E18000-memory.dmp
memory/2316-2-0x0000000000361000-0x000000000038F000-memory.dmp
memory/2316-3-0x0000000000360000-0x000000000081D000-memory.dmp
memory/2316-5-0x0000000000360000-0x000000000081D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
| MD5 | 32990cfa629b89533fb2a04ae8e966c5 |
| SHA1 | 1438ae4069286ca2174ee15b8c5c7cb169c93f1d |
| SHA256 | eec4aaaf11532078af1ae71b818197764474f7fff7bc8a2cd6b495d6e84772ad |
| SHA512 | 3db1b9d51585a66166c579ac1f502a65f77fac95bbba7d9f497b1c82d585ac6aaf095d69279c99250ca13f04bf9e8f048bf61a6113ab879c3f6cfabae0c5a0c8 |
memory/2316-16-0x0000000000360000-0x000000000081D000-memory.dmp
memory/4048-17-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-18-0x0000000000BC1000-0x0000000000BEF000-memory.dmp
memory/4048-19-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-20-0x0000000000BC0000-0x000000000107D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\18e0804918.exe
| MD5 | de1d8c161d81ba79c888fef77c75db93 |
| SHA1 | 55e3b5e658d41d98779214afb48d34c66bf17346 |
| SHA256 | 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126 |
| SHA512 | 4d243246e4476555a4b018d2df63ae93da8c64096523c8f8b20ba616b0dec97c21e4bed7dced51da50c0908ad3da6b882b11de6d668b71852f2290850a6810ea |
memory/1600-36-0x0000000000930000-0x0000000001523000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000007001\550b3a2584.exe
| MD5 | 86738dd73219b83320ba19af11c97e11 |
| SHA1 | a18ae0b3abf1aabece29993b227eef15f8e055e1 |
| SHA256 | 6e517782e2e25b874ddf2861144e814309235517cf517890efff1a183c014b21 |
| SHA512 | 45150d8ddc155c52fde993b308d79bd5fb57c835339de9bee7e98a7a035a79ac947d8ecab8bbd2873b4ba75b3a6a5956769a234c929c183b7fdf1284ce08e3ae |
memory/1600-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\??\pipe\crashpad_4304_YAWCOIZDNWSDJPYY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4048-166-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/1600-175-0x0000000000930000-0x0000000001523000-memory.dmp
memory/5100-179-0x0000000000680000-0x0000000000B3D000-memory.dmp
memory/5100-181-0x0000000000680000-0x0000000000B3D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3f10fd0b2e6b270a3ef638b50922f7d0 |
| SHA1 | cdc98ea6a018ce5d6f1f1a0ba4220ebec7740499 |
| SHA256 | 25197e1e22a11b2e0ef5bdf62993280e868327035055f700cf2a5df46dec810b |
| SHA512 | 8c3d386190b32c75058d824e2bfb5cea9f7490bd768cdc7e4a9a1ccfdd95163569baa5cd17de2be3798038da4c3bac753c4a5ab51fff1cc8f49ff747ab2bef6f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1de806d624bf0a1745ac3a8037cff6f8 |
| SHA1 | d319b3cf96447bf62e1a21e6f138eb7c8d39b6a8 |
| SHA256 | 869f6397e5905cc300a4311317f719f5d1eae540849541aefafc6defd4f24929 |
| SHA512 | 1610f40374fea54a1b8a4e2ad3b16cb67bad031c5ebdecea1a4e62fa202973d1180cdd3a6c9de1be79de445f19ffa0c2a148aa4739fdb47dbf3bba6e3d8c6aba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a3ae137d6c8122ab753ae3a865becd1b |
| SHA1 | 88bb78d837d3a6e329dfdd9570d3224ad4cc4d80 |
| SHA256 | 82d39ffc25065452c245031928b8ec50e79cdfd1d3123a0db6799af79ec2da2f |
| SHA512 | a2a48e9ce23d3fbfb7f205e2c6c114303b6e0ac7f1324233a9dc02f43baa68973162dc7f04c51d5977e7c8c7a2045bd017f2b9f1cfddebd90661c77d3bd49ae8 |
memory/4048-197-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-200-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-201-0x0000000000BC0000-0x000000000107D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 08ec249f941a630001ed946b45514d95 |
| SHA1 | 2ab8e98d10368a0f0eeef837dd236dcc2f4d92bb |
| SHA256 | 5e9f2b1fa61d93188959cc54ceb185f2bd1be42a06235c5046d4b0670cf4bc91 |
| SHA512 | fd1ac54c311bd29b696c39a853e4cbf735cfffd8d379808ab15e896f685acf6ae7b2a2909bd0813758527741ea2e78906a5cafad616f2d8b94af35834dec0de2 |
memory/4048-209-0x0000000000BC0000-0x000000000107D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d2c8eed5efbf53fea188abfdeabb3e4e |
| SHA1 | 68f63d28b56a07ecd933f60c8bb08b3b94dd5a21 |
| SHA256 | 0a264f6ae96b3d800c3a38b9d2e8e4b2a1a837a24b5ecbd530cf68f148f66547 |
| SHA512 | b6d7f44e24d390e94c93b34a929ff0fd35f7e0fbd68fe9493f0b1662d2ad161bdea054db7fe255ca90c788b91ad19eac80a492021e535f73243dc9a18f0c6afd |
memory/4048-215-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/904-217-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/904-219-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-220-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-230-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-231-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-233-0x0000000000BC0000-0x000000000107D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 32264b78c494bbfd178c83693faf0e7a |
| SHA1 | 7bf941669d1ea5f5dcc50d987179e985825ec6d7 |
| SHA256 | 09e6a66bc80ed9cc82b0b7b3c0c7786e6529c6bbf4de919f4f85b9e88f1297b9 |
| SHA512 | 446731c8668433ecf3e8c58d8e1da090dca6d09f1fcfae79a6740854690fb43bcd050fb58475457f8339d232de1ec7494f019f031a24067d747dddc5ae449b01 |
memory/4048-248-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-249-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4000-251-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4000-252-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-253-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-254-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-255-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-261-0x0000000000BC0000-0x000000000107D000-memory.dmp
memory/4048-262-0x0000000000BC0000-0x000000000107D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b1222d5d2ce9b439fa13dd9567c55e86 |
| SHA1 | 59045892817209df008c199af065b451a3bf0716 |
| SHA256 | 9bb97c168365e4a21de2e28a4ea7ff3a829db559206e6ba021cd783d8e43e8d6 |
| SHA512 | c80b571173772694b15da17fac46f93b9658766f1d75fc11e9f2f0589f6bc9f432215fe9b433c6b8208cc2d6c89ffd1915fdb533b8e82ec5f8a9e9b2d39488e1 |