eternity | d4e0148bc263ae1265b5c5ba1a1d56661d7afda8c307c52e6f10e47f67921693

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SirWare.exe
Size

4.6MB
MD5

35091354095cf19568ed3174619d1c3e
SHA1

07a1b4569906e04fd6a9832bd4cf999a673f5ce0
SHA256

d4e0148bc263ae1265b5c5ba1a1d56661d7afda8c307c52e6f10e47f67921693
SHA512

fa4365f22291d51ff0fc1c6cd3d29d4fe5d77ff89120c54abece5a6cc42b34e1af124a2a4eca51e97c3ad47d03de3ceb3ccc110818d3b1af911f6b8533921e4f
SSDEEP

98304:brL3/7aNJIxFWP3/7a3/7dkYjLbOlZEfmEvjPVRF/z0A3/7:b3/7aNJCWP3/7a3/7FLb3fhF/zz3/7

Score

10^/10

eternity spyware stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3820-1-0x00000000008D0000-0x0000000000D34000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SirWare.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	SirWare.exe

Drops startup file 2 IoCs

Processes:

SirWare.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SirWare.exe	SirWare.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SirWare.exe	SirWare.exe

Executes dropped EXE 2 IoCs

Processes:

SirWare.exedcd.exe

pid	Process
3016	SirWare.exe
4184	dcd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
62	discord.com
63	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{AECAC401-5235-4661-B91D-2F2B59CB6AAC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SirWare.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	Process
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
1696	msedge.exe
1696	msedge.exe
4492	msedge.exe
4492	msedge.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
4136	msedge.exe
4136	msedge.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3612	identity_helper.exe
3612	identity_helper.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe
3016	SirWare.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SirWare.exeSirWare.exeAUDIODG.EXE

description	pid	Process
Token: SeDebugPrivilege	3820	SirWare.exe
Token: SeDebugPrivilege	3016	SirWare.exe
Token: 33	5884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5884	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SirWare.exeSirWare.exemsedge.exe

description	pid	Process	procid_target
PID 3820 wrote to memory of 3016	3820	SirWare.exe	83
PID 3820 wrote to memory of 3016	3820	SirWare.exe	83
PID 3820 wrote to memory of 4184	3820	SirWare.exe	84
PID 3820 wrote to memory of 4184	3820	SirWare.exe	84
PID 3820 wrote to memory of 4184	3820	SirWare.exe	84
PID 3016 wrote to memory of 4492	3016	SirWare.exe	101
PID 3016 wrote to memory of 4492	3016	SirWare.exe	101
PID 4492 wrote to memory of 4628	4492	msedge.exe	102
PID 4492 wrote to memory of 4628	4492	msedge.exe	102
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 4168	4492	msedge.exe	103
PID 4492 wrote to memory of 1696	4492	msedge.exe	104
PID 4492 wrote to memory of 1696	4492	msedge.exe	104
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105
PID 4492 wrote to memory of 3144	4492	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\SirWare.exe
"C:\Users\Admin\AppData\Local\Temp\SirWare.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\nlg3sr4j.ph0\SirWare.exe
  "C:\Users\Admin\AppData\Local\Temp\nlg3sr4j.ph0\SirWare.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/pESzEFBMN9
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa205b46f8,0x7ffa205b4708,0x7ffa205b4718
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4216 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4220 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
      4⤵
      PID:2092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
      4⤵
      PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
      4⤵
      PID:6100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
      4⤵
      PID:6108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6776 /prefetch:8
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9190789731929286042,10896882524142052916,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:2
      4⤵
      PID:716
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e98efc2490f41e795fe1139479f73dae

SHA1
00e2f12bf01b24cdec11e2c17d6527b9aa82f427

SHA256
e7b29452378739245be9e4c663b45250eb5fe80c50cf14b26321175d3afed15e

SHA512
1e011b13b3fad110b2d29beedc8e778c0d0148242045f9f4b8f193907a9fb7792f4b93f7e82154de947e0d0bf4b8440148d927e9ac0e777a7c3b71bfea771d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
d34994126949b7036efa5f40aac70f86

SHA1
881e5d22222371e004d23f398a7413c17679c9d2

SHA256
09b1d70257225b3e5e727109866116d2db0d4ed132b4eb16ea71ff412a54dcb3

SHA512
f85c2cdd6fa111c5e825fb7e1d4989ecc8b26af01c02cf05d7796642b4888906bc52076d7197573dcbf5b1d97e587726b95a54c18c121487ea8244619573ad93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
837B

MD5
e4831722b20d04cfd5ea5a366311bef4

SHA1
38436a3aaa7b88dc283f77164a5c337f36660ca8

SHA256
5415ce66fff3396bbebbe95ca4070f2a26ad3d8ba4a311bb361e4d02cbcf95e5

SHA512
99334696eedec9dd4d40a55c32660dc6225bb003be5040e0f4d217b5912ad5d97bb98337bc67e9755e40cfe68267e25286ec35ce24d30d186e71fc7e759bcb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1eb335c0064dfb804bd994f34f6c4679

SHA1
2dc74d03f2b036b4e14d09a69bf5713b2b1ccc3a

SHA256
1358929e583672719258fbb7bdd5c4947913bf6dcc26fcf13ecde3cd850c952e

SHA512
0627b1f2aaeda2ac3b862454da29b38584107994b1a9f26a72644f0d5a096f7b5dd53e8eab5d777487eb5d60604ca58fa0b51ef3b4ae44e205f5b615b0761be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b8ccf4f4acd9eae38b648e6d7b08a18

SHA1
6bb04b2e1151c7ea10e9369bd2a157f318b89887

SHA256
91bc92ef9925e7bada1e22c7263435b1cc280cb9318a3f75c667c4803d3950f2

SHA512
fe29861c9a19febb6b00340301517b04db1f21f3937a59324e5159968678b315dac89804f295c44aa03985c5a99fb45da35f8f0a9ec2f0b0da49203e634b2ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e09136eace4ffa35072d3ede9bc88de

SHA1
5c732c26867a24cdaae10d18b15ae5102ef9b7bf

SHA256
f69e55b7709fb72f0c933e1c99cc46d80ebd9241295224e5434139e7ea8dd408

SHA512
f44721b34c4ae8ab207eac4598505d089a5871ff58463337fe2bccd504d09a25775d6bcfd28beca9f1d40cb801a82216248a7a899ad34c2ed968bea88d07849a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ebb843111e48a70e17877816a98ee31

SHA1
c3daab073d09b91d43d8383224868c5b19b7471d

SHA256
e440e1e3999e7aa067c3f3006f04d70e9da777d46766437f50f64504f13db4d3

SHA512
2d351827a621bc745dfcd58644c4b1b99c24e09ae227eb717bc0b390d6bff64e68c5c7fd9532131424a4d42083c84b662bb474674d9a5188d86dbf7726441671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
587738e98cf1a23b6a24db4007cd2c15

SHA1
cb9b22eca85f71644882812e523dde67af6efacb

SHA256
f35c93752661f8afb3a62aad748d9b55a74ee7ae3f01afc72d625f49fd310d5e

SHA512
c1b85288e21c0be1de3a91fef221911238f8deda13cd244d0d3a8af330c1125db0ee09986c698d74cec0641c82f3578ef6ae38cc268cc2f57e13285f79562d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3cba61003ff1e273adad886cef159dec

SHA1
090bbeb3f280653c2da42d88a4e98c87281b55c7

SHA256
d038ad9e17bde53ef64e847cc057a506d83181c3b8cb5515c553ec3fef377697

SHA512
683314cdc87bc5679ee79417bbc4bb8d6c3a3afb0b6a5f983c99c5aabe9fa0cd1209a33573022cee6b4dbab90e51549db4f2577649d6ca8132eb12bdb9bd8706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da92cabc1c9d6d722d1dffb62b6717bb

SHA1
6c18ee63ce3543348c0990f796b516bab5331296

SHA256
065a3c1dafe1f23c8b722be3522cf089da3c19c98ae24bf0b0d5c4b1efdb21e1

SHA512
bf497349b655f953f9a6cd9b87a870f23499ba4cd229692a59e4d4d395bcbd0530bd4792cc586ecc00fec0f151e0ab6dcf4eef86f7db56119708578729b96143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed45a586b770b52f6d5adb191cb922bd

SHA1
e8badb1789001f0f70fae063c87d76a650d9e5a2

SHA256
58bf8403fa7401517d3246bae10fea0298ddcc8085a2b756a9ebb04198454a58

SHA512
e217b110c729b7e0fa6281b2cdb869fb762554ce2a8c31379d251b6d113f4116a73535971782628f698f2e5d848cc5b70984e1f4ab46a6d728f62a9d834996b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1f094796815f160a2e9624ac18bbe554

SHA1
c43fef4ea260d5778c5c575107350ee206703e13

SHA256
052d9abd7828b35540bb9422cfe5f11b10dd87f6aef67d0d4f058aee4fb537db

SHA512
a62ea74d9ff204fd68795f265e6ee48607d3cd63005e8a66b825bfa609fdded3bcf3d0ed50c36135290593bac28614571050a9b9698591a133a87ff72c6e3517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57da04.TMP

Filesize
370B

MD5
f979e109a64e58620ecf466970d8d802

SHA1
9d083d8d3ae558dae3585e082a52781a2640b9b6

SHA256
f9007605c69164107d297c8f74af62ac09e9a4742c496173f0288f2ddc2a4b90

SHA512
04b87945c7be951a4695e4939d6e7ec56247b34a62f447d6ff2e17cd2c6cffe8ac180370bd3347bce65a0fbaa5e3ea09f126f3df3a51cebc093c9227525186bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98ea141113cef75773778a5666ec5ba8

SHA1
658dcd7e5da872470e0cd47a1f38a86116d1432b

SHA256
242f7164cd5ac02869dac1867613ab3ac53b03b9c79b27313061e2939800c8f0

SHA512
6e22891ad97070e37e5616689867eadb355dc53f801608f640864a2068ec9675bf5fe659c3498e16e32e85553d3ec7db7d7d31fc40f2d979e8da363c9fc82ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlg3sr4j.ph0\SirWare.exe

Filesize
1.6MB

MD5
5351af53824ae52d130328dd0f7b8617

SHA1
4bcbd7273737a2a5966f03085385d2057d17e911

SHA256
512ed4e003e35087f08c1a7a40b34ea56860cd8fa16ef0e48c5eaa3ebc4fa043

SHA512
e47f4b4bb569b79b8552fdc0de9648f8fb4ada78651d14dae3d296937627fe40400fc9a41834799dd6b2070d473380f6ebe6a5c670893df85e870af82d2c1d93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_4492_QYCLGWIGTSDIGVGB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3016-19-0x0000026BAEAF0000-0x0000026BAEB0A000-memory.dmp

Filesize
104KB

Download
memory/3016-33-0x0000026BC8680000-0x0000026BC8730000-memory.dmp

Filesize
704KB

Download
memory/3016-38-0x0000026BC75F0000-0x0000026BC7799000-memory.dmp

Filesize
1.7MB

Download
memory/3016-32-0x0000026BC8660000-0x0000026BC867A000-memory.dmp

Filesize
104KB

Download
memory/3016-30-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3016-29-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3016-28-0x0000026BC7420000-0x0000026BC74CA000-memory.dmp

Filesize
680KB

Download
memory/3016-126-0x0000026BC75F0000-0x0000026BC7799000-memory.dmp

Filesize
1.7MB

Download
memory/3016-145-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3016-20-0x0000026BC7290000-0x0000026BC72BC000-memory.dmp

Filesize
176KB

Download
memory/3016-18-0x0000026BAEAA0000-0x0000026BAEAB2000-memory.dmp

Filesize
72KB

Download
memory/3016-17-0x0000026BACC80000-0x0000026BACE28000-memory.dmp

Filesize
1.7MB

Download
memory/3820-23-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-37-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-36-0x000000001CB20000-0x000000001CCC9000-memory.dmp

Filesize
1.7MB

Download
memory/3820-31-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-27-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-25-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-0-0x00007FFA22853000-0x00007FFA22855000-memory.dmp

Filesize
8KB

Download
memory/3820-16-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-5-0x00007FFA22850000-0x00007FFA23311000-memory.dmp

Filesize
10.8MB

Download
memory/3820-3-0x000000001BC90000-0x000000001BE72000-memory.dmp

Filesize
1.9MB

Download
memory/3820-2-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/3820-1-0x00000000008D0000-0x0000000000D34000-memory.dmp

Filesize
4.4MB

Download