eternity | hxxps://github[.]com/HertZxDs/GrowPai/blob/main/GPAISETUP[.]exe

Analysis

max time kernel
40s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HertZxDs/GrowPai/blob/main/GPAISETUP.exe

Score

10^/10

eternity discovery stealer

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0009000000024197-628.dat	eternity_stealer
behavioral1/memory/2308-642-0x0000000000040000-0x0000000000126000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Downloads MZ/PE file 1 IoCs

flow	pid	Process
120	3348	msedge.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPAISETUP.exe	GPAISETUP.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPAISETUP.exe	GPAISETUP.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPAISETUP.exe	GPAISETUP.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPAISETUP.exe	GPAISETUP.exe

Executes dropped EXE 4 IoCs

pid	Process
2308	GPAISETUP.exe
5264	dcd.exe
4128	GPAISETUP.exe
4424	dcd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
118	raw.githubusercontent.com
119	raw.githubusercontent.com
120	raw.githubusercontent.com
112	raw.githubusercontent.com
113	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_3872_1210954285\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3872_1825629841\_locales\iw\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880801443054417"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{124F4297-9258-4BB5-8E81-416DA50538AC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	GPAISETUP.exe
Token: SeDebugPrivilege	4128	GPAISETUP.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe
3872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4112	3872	msedge.exe	87
PID 3872 wrote to memory of 4112	3872	msedge.exe	87
PID 3872 wrote to memory of 3348	3872	msedge.exe	88
PID 3872 wrote to memory of 3348	3872	msedge.exe	88
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 4852	3872	msedge.exe	89
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90
PID 3872 wrote to memory of 2892	3872	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/HertZxDs/GrowPai/blob/main/GPAISETUP.exe
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe94e8f208,0x7ffe94e8f214,0x7ffe94e8f220
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1716,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5032,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5436,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6196,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6164,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6664,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:3916
- C:\Users\Admin\Downloads\GPAISETUP.exe
  "C:\Users\Admin\Downloads\GPAISETUP.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7108,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,4087854118627452254,7714003684007209248,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1692

C:\Users\Admin\Downloads\GPAISETUP.exe
"C:\Users\Admin\Downloads\GPAISETUP.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
fdd2be9f4579e4076889ff4ba763cc8d

SHA1
2be12ffbf2ad9194da6f2ab94f129d23b19b4cea

SHA256
0644fa0bf09f06a0ee0da17b35995fe8778278b6241d2df940411b74a8d3a4f2

SHA512
337a639a92423304ccc97ca0e92b00e1689ca25161c3e7d6d4cbdd81f4ce6aa5e72c95f213ae67b5bcd019c87b795461aefeae44d2586e918a902ec0959193a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57e02e.TMP

Filesize
3KB

MD5
164bc67f5f66b4be3224c9a0fc6d25fa

SHA1
d881daae40dfea279eeea2d84e07177da188c759

SHA256
12a164beeee4e650440db042dad93d9c3f54c343739d05a97d8f4a96bad2daba

SHA512
9309b81ec1dfdd76e2d4432fa7e81838f177462de2f1ad03af56094e5521d6162d44ee4b7fc795b7962d6a3caa74db5417645ee64f0342b49c2db944128874b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
105cf170685678060e17049a4c3785f2

SHA1
05b8b565a0453265e1ec5d6d606a92990dfbdf1c

SHA256
4f18651652986a9044366221f81fcb3c78c77a27caa9016879aaf5eb41d46f42

SHA512
ee9da32ebf48946eafee96c82f7286f66094ed981dec896a60a7dd30ae63c903c5040c2a9709c4f4da9676403f4c82768995359abfecb1db203a0414fa15c79c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
c49f211c7cd7f8b9d21e9547bcbc4d3f

SHA1
1105d19ecc248e96935750529f19c4a23610e535

SHA256
e1d47b8e6b171560de4ec3a6e3f2acca67d73912b0c678b5ca545ebfb8340feb

SHA512
5b6089a5a3f11d4659f7a63f7927dd31e4e59fdf53d517b0f6688004bfef144ed2cfefa5f38e642ca767e00c37b47c03731eb1eddb77b1dcec424e8b663e7872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
764c1ddc268ade7a865610b42ff6f964

SHA1
c6cef83e8ee050eda4f055c1a11c075085d47a6f

SHA256
d39f47374168933a972fb5b1633505c2b818c57a27c83fb39bbafc49654f8e3f

SHA512
8f94e2f368d944df6e08b823636b734a6d0c60c4105e9681fe9ac41b2e6fe3f97860007566f49158d2af29c5594ce97ac10ff6f1705a6dc3eeb6c664e4ed362f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
1701096113d3f09f63979f93a77181d7

SHA1
4d252c176a9ff28f1727c3fe9844e923b70b18b4

SHA256
ce36c69dc9a8c928da6b0dc396a26b3f8669645a45a05767866d4977451e096e

SHA512
6e5b54cefeb443d00c912f20cd0185f5353926c482172927af3815c338f9ad48f29503c0a0a362cdd6d5b2c3302ca7bc499266eacd36e742d967f9d71d97da9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
02b3a236506871ae20f651cba3da02c8

SHA1
2fd8acde950ddc0876a79367adca9b58d1875055

SHA256
cd37704d4858e572e3927254c8566d0a3eb5be32c1bf3c4ae4b2bc01efd7d277

SHA512
bf1e3e3b1bd8729b084f8ab35f3e0d669c9f857deff899bc6f6c3ae002612fe17697f469e82589b226025f964755a22de810adfe5130e8356e8f120f96e9bb0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
7cd3e4d9802d5f7c35c6bed5c34e9b10

SHA1
7221c1eeb9c3655d6569764b760900de2a74de3a

SHA256
b44c71ba93fd022787074177c5da1c7733edc6fd4578fafbe5ddafec537272d6

SHA512
85d00b32cc4d6fbfd1e37daecae4cf86bd0af7274ac42101385447cad0e44f86b90a62b3af58dba7895a33aa3a02b85df85d9a3ea838a0658f9eb29ae93e2616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a765cd593b5d463ef7cf865f40cd21df

SHA1
928c811ab93c03409955e36d5411fe40ab40a62e

SHA256
7fd44c6ed62312b7292ed5c4f579e037e37809d8a37e3d713af0f215007e1cfb

SHA512
aee6fa46be3f1168934669310044510287b10fbe768d5ef463375c495da81d254c926c1559c6b9f11cf1d470b5218437eea618fc736b5c36c3f2a2870886c018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
c1b50833ba856738d06dd68d924170d7

SHA1
b577fc6f97de4ff9f3ac3bc3e632aea498a3227a

SHA256
2242826a993f862301c4155872b92f2540c7dc0b56b635532c14f84ea5634dcb

SHA512
ecfd9fc275445dc5ab69be820152f8431fb5f390b72cfdbf76dc7dafd19bfff7bc7d43bffbf31a363ff688a6f0a2b68dc767233c57e196600ddb3b919fccbf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
7f87c26e45fe3b1a9391745d109ba65e

SHA1
a0fda47c8225ce2adb8bab62c72e79c53f44301f

SHA256
fdaeb8d1d7a38020bb3b70de49b03af5c4e05b5af18dab1efab0ef6b7f72f377

SHA512
a81f2a3916e70eeb453d728f83a248a66f9751bf8cb2df128498e2ca93fa41b431957037f477ebe23954e9689ddeaf8737f7b644969ddb6a4d517b7074f4f502

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\GPAISETUP.exe

Filesize
887KB

MD5
7df2920eb193f645fc40ce3427b0a535

SHA1
f46c2cb41cf9584ef93596cd549d2e3aba1767f4

SHA256
e280c1dfe67c7172f7b7277b03df0fd02de92e631276351e8ed792ade658a333

SHA512
5603841123f2c44e918e5b24dd7a9473b134e602059023fc3a64c1fe1f78a4aadecbf6bbc30f7995b4a05544403ec87426fd74aa845d98cab8d57712c339fe27

Download Submit
memory/2308-642-0x0000000000040000-0x0000000000126000-memory.dmp

Filesize
920KB

Download
memory/2308-643-0x0000000000AC0000-0x0000000000B10000-memory.dmp

Filesize
320KB

Download
memory/2308-644-0x0000000000A30000-0x0000000000A6E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads