eternity | 3f3ab2843bb08bd7506fe8046553e954be472cbb4012522e63b13df607bc569f

Analysis

max time kernel
92s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxflip
Size

279KB
MD5

58a3e51d3146d9175a8a39e705fd2f9b
SHA1

8bb82fda35ff3d90748292b8a4425ffcaaa3c253
SHA256

3f3ab2843bb08bd7506fe8046553e954be472cbb4012522e63b13df607bc569f
SHA512

002a15abfa86e353286ab4bc2c54dd2faa2f9a1852376a090912a920dcad02931d718df15d1028fcc3d7dfed28bdf974270c9ca054f628268c3b291040f2dd42
SSDEEP

6144:Dqoj72n9dH5M2vkm0aOCl3pId9Rd9svZJT3CqbMrhryf65NRPaCieMjAkvCJv1VA:uoj72n9dH5M2vkm0aOCl3pId9Rd9svZr

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000002353c-267.dat	eternity_stealer
behavioral1/memory/4352-290-0x0000000000260000-0x0000000000346000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe

Executes dropped EXE 6 IoCs

pid	Process
4352	Loader.exe
1056	dcd.exe
2952	Loader.exe
4248	dcd.exe
3048	Loader.exe
4868	dcd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652644504183806"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2828	2872	chrome.exe	90
PID 2872 wrote to memory of 2828	2872	chrome.exe	90
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 4756	2872	chrome.exe	91
PID 2872 wrote to memory of 1472	2872	chrome.exe	92
PID 2872 wrote to memory of 1472	2872	chrome.exe	92
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93
PID 2872 wrote to memory of 936	2872	chrome.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Bloxflip
1⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee4b8cc40,0x7ffee4b8cc4c,0x7ffee4b8cc58
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4760,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3464,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3476,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3544,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3420,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,15699060524096115749,9033396958201577342,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:4404
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1056

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3464

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Drops startup file
- Executes dropped EXE
PID:2952
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4248

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Drops startup file
- Executes dropped EXE
PID:3048
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0ae6d090-d2b3-4e1c-8be9-a22eceda0cbf.tmp

Filesize
182KB

MD5
3626304ea1629000d88b50867d603cc1

SHA1
30833220b661e3621abf470225a44f6c9ec88b02

SHA256
407afe6a6a8d77a95233ce4ad041477ae6098cdfe0ea7b3563afeeee0560c585

SHA512
f990d66fac28349ad6225c969c644bffdd3f8e2c305e3247f489827c049a80e4d3ff13e0c30d5756590a423637f8ff30022a20405ff11e5564b5ea8236f26dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6b02063e10518282a9cd1ddc58550bd8

SHA1
3eed420b335f25b9b03c0b7a7319056655c41106

SHA256
34b46b132ae02b0b5db2639d0bfd5c2bbbef5553c2a3aea818c6892c677f318c

SHA512
02bfd167b6190dd5c74e0c73fb727d5c52d6bb6a5b6d30d82ae8b2e9e52707c568697aa7c96267c213679e9cf7ff58e5dbde7f5fbb1d94caece0dc7055b821b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb3fe559135f5801615dd15e2d2654cc

SHA1
c2185d0e282283e7526f34f4c20c184565b6e760

SHA256
2585c5bc0f8860970111cc82d8c7eb221114d6afdf7d289dfce917475bed64fa

SHA512
821acbb478ed269ef0043a6938728f04883e17dfab45ea636726bcf9f64f967bb42d32a58210f7e4a5c2bc676011a3d67dfa235593ec92e3c0f9f2e2c2b2cdd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a7de809703e98246ce62e0b941cb70a8

SHA1
c371019a18d906e7eba798248de5d33911bd2321

SHA256
f94cc3cec107505ad8b3c50bb380591cea03fc039022cbd476578683c911a382

SHA512
9a12665cbc9ef40488e59ff82411d7a96722951a5b40be4f6eb841ec4afc5b7d21a1e28f622c20bfc7c24129f64b1e990534fb4941bb1393d6dbb87358e8e046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e51ae35f541b1cc5b107956931fdd9c6

SHA1
e5f88446e4fbf0f96a50bf795dafc12dae2485da

SHA256
07f5e18aa606cb7cf07f7266b21b8c0617fcf1a24c343c44b17fce11d7b75d11

SHA512
7db290629a99e5bb1382ed9476508ae03a99919d280b31beca47b4a1bf45b647ef8ec6ce3124ebbb563705cc0d02b866e0ceaca78b3720805c06a83da8f9469f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ff8015439859591602f3f3fe7972d189

SHA1
ed1c1025b4068bb3c870ec302073d1d63e76ca63

SHA256
c7dbd74ea20b60272b83bd43e5f3f21012c2b3d2c06ad995c022ebbdfbe18f9e

SHA512
6995b3d2d47690d6422e025966aa96d77ba72e9aa3049ea537eb3af909c5a0d3d22cfeed55573d1bbd07579547683a84ebef01ccdd853e6e8003496b7da0cc14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3e792c12489abe8258ebf2aeb60efadc

SHA1
57894e88c11ab91772b7aa42d86bcad29d0f17b8

SHA256
fe3b3fa93ae39117627331518647c0a5dd032ddfb1b9763a72f48d47824a4194

SHA512
7e71e9dd44bf7d1aba61b18a7d08a30551018e2bd642a62f2db3891f6eaf79372d965e96d1a4fc43a7be0d1aa0aa53e5d1efc423b868ecc5dbed29f2e1e8b99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
341a52b8bfd44213202dccbcc0c5aaef

SHA1
2ed4435e0c165e79a9fc41f4d358c14b587fe297

SHA256
739509a732a940db39e03b3e96d647855af08013cb0bcc043799c42950dc65f3

SHA512
b22f6e9c984627ec3e55e4833aabab815a6b62c894e6055f2ba2d335d53343319e1220a96875e41bf337f5519ed701946f67b6c5f0629943e14211e6fd4d45ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13a4db67c34cab72672340865cb433fb

SHA1
2c22ed0adb4c5c27adf37390fdb25bcb772d216e

SHA256
b6ecc8affde0d16780984e8d32d89ff87a224227760ddef78647475bff8113ee

SHA512
64521577cd9ef503c6fae2ddae863010350db01524ced6d1cb57d062ce84eb4912b6b933c19f5e6013cee6e2ce2b27d496e27c43cb6c2b33b3507109cf4a2d05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
988bf3481ff25b9878c7003d106e6156

SHA1
3adfa15d7788d90877851a66861eb7fdfe1a9674

SHA256
ceb323778dbd41c7851543f1741c43c1cc4c4efb3a3d3f3b98fbea30c90f5528

SHA512
c259e57f6546eb511fe0fec686180f04635c8a4419f11e5b9e30208c3e2abf9747aab36ff1fd27a549902a15dda1b28c7207c932f3bfead31bbf4467840df284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86b3b1280d0cb512598b8db1ce7bbfa7

SHA1
1773d404086e3135c03d2873632073249d52336b

SHA256
a76bf1208474fd15fbdd254da4c9e5a5839d64af2f467f6c6bd505472fbdd672

SHA512
4e2d91a625503b479fbf9ff02734cc9216ce56057e640963ebd0f397a53f9e30328f21631102c1d97cbc132903d1421b48ae681f29aca1b0f4252dd4338b53fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5407f863cb926db3e0de6acdf3a53bdb

SHA1
46d2c6269818fbd6e0c5bc3eb5c2807d83a74138

SHA256
db0c1a0f68dc269b06b326bf7a5091966800aa663828e6f359ef01005df4b799

SHA512
6975592489de49313ec1285312638fd2c0649fe473c20ea04b0a3f2ec413a6930ad95d04323aa284a3a45a7157183e2ce4fdacae8734621e28ed1ab26bbcdf5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
94c0113f4e6fe69d447cf455b2f39da2

SHA1
d6da4b06f7a2b90900065163289fd21da30102ce

SHA256
f2930733908463423ec693c1f2cf6d731b8442cdab30af015c30c924b619b612

SHA512
a52ce022b22f413fa673b60d6d585d86273502561981fe48b73c9f202d64792129884bfdd482806876b6c1ae378b79f1bbc9c4d160ce24f602f8e9dd29d4a453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
d8e3f875d412bf49b8ae0989722b7d6c

SHA1
3f6b630f7bcbfb4216989ed60989e0d19663d444

SHA256
bcd1ddbdd70815b3a54b290e6217d6fe0da0c2f68b113078ea07b7744492349a

SHA512
930586c823b44477e8584e7628a49dc61908da761a8b2d9953d1bd8531c8c67abd79d06f061928e7dc70e3eba44a1089c7673060d85456e77c98ec14605be774

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\Loader.exe

Filesize
887KB

MD5
4921715c2581f736e92ea569def50a69

SHA1
85d44e955199463ca786b2ef4ca95189704bb599

SHA256
d25991745f08ec053c593fe639303859ec6b50a02fd04f86223526d5563062ba

SHA512
4b18a2361f9e0be0be1d3fedcd82c0e900b90cb96fe084c7937e8a0e60711e8a39394891d91f06e62f57026a1f98116ffa1c2ee41e168e59e72303562d823127

Download Submit
memory/4352-289-0x00007FFEE0B03000-0x00007FFEE0B05000-memory.dmp

Filesize
8KB

Download
memory/4352-300-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-301-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-296-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-307-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-294-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-319-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-293-0x000000001B1A0000-0x000000001B1DE000-memory.dmp

Filesize
248KB

Download
memory/4352-292-0x00007FFEE0B00000-0x00007FFEE15C1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-291-0x000000001AE20000-0x000000001AE70000-memory.dmp

Filesize
320KB

Download
memory/4352-290-0x0000000000260000-0x0000000000346000-memory.dmp

Filesize
920KB

Download