eternity | 24f7bda2e6d6eaa5608e027d1fe70958e956e9dc9a52ae1faf18d06982036ee7

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Eternity.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Eternity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Eternity.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Eternity.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eternity.exe	Eternity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eternity.exe	Eternity.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eternity.exe	Eternity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eternity.exe	Eternity.exe

Executes dropped EXE 4 IoCs

pid	Process
1020	Eternity.exe
2616	dcd.exe
2596	Eternity.exe
2292	dcd.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Eternity.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Eternity.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2220	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2856	chrome.exe
2856	chrome.exe
1432	powershell.exe
2856	chrome.exe
2856	chrome.exe
2480	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2544	rundll32.exe
2380	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe
Token: SeShutdownPrivilege	2856	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2012	7zG.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2864	2856	chrome.exe	30
PID 2856 wrote to memory of 2864	2856	chrome.exe	30
PID 2856 wrote to memory of 2864	2856	chrome.exe	30
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2888	2856	chrome.exe	32
PID 2856 wrote to memory of 2788	2856	chrome.exe	33
PID 2856 wrote to memory of 2788	2856	chrome.exe	33
PID 2856 wrote to memory of 2788	2856	chrome.exe	33
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34
PID 2856 wrote to memory of 2572	2856	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\tinytask.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb0b9758,0x7fefb0b9768,0x7fefb0b9778
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:2
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:2
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3512 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3856 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2860 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2688 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2528 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4088 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4212 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4232 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4552 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1900 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4600 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Project Eternity.rar
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2544
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Project Eternity.rar
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4696 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=2348 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4336 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=1428 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2604 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=1336,i,11262202688399562438,14423556893618356089,131072 /prefetch:8
  2⤵
  PID:2220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
PID:2244

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Project-Eternity-main\Project-Eternity-main\Eternity\" -ad -an -ai#7zMap7771:166:7zEvent30022
1⤵
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Users\Admin\Downloads\Project-Eternity-main\Project-Eternity-main\Eternity\Eternity\Eternity.exe
"C:\Users\Admin\Downloads\Project-Eternity-main\Project-Eternity-main\Eternity\Eternity\Eternity.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
PID:1020
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

C:\Users\Admin\Downloads\Project-Eternity-main\Project-Eternity-main\Eternity\Eternity\Eternity.exe
"C:\Users\Admin\Downloads\Project-Eternity-main\Project-Eternity-main\Eternity\Eternity\Eternity.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
PID:2596
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2344

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3060

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Project Eternity\" -spe -an -ai#7zMap30900:94:7zEvent32288
1⤵
PID:2744

C:\Users\Admin\Downloads\Project Eternity\Eternity.exe
"C:\Users\Admin\Downloads\Project Eternity\Eternity.exe"
1⤵
PID:2568
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  PID:2700

C:\Users\Admin\Downloads\Project Eternity\Eternity.exe
"C:\Users\Admin\Downloads\Project Eternity\Eternity.exe"
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry