mercurialgrabber | b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646

Analysis

max time kernel
3s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.exe
Size

3.2MB
MD5

2168322c604dda24529ab10ffb63603c
SHA1

325b8e0a7a13a5b6b2d13cb4a796c05f97ee9d12
SHA256

b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646
SHA512

85b00c8a77048d5175ac99b2172c4a4c6b4348013ca419c723d20dfcedc6e2bafde1cad4ab41897ef7892112108888763881215650a6cb32fdb01a9cfde99564

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/939772339271385098/pb40yymlaC36gJ9lrIZE64Tin0HhFVa5fet-muKugdctzZ9wq34Ecu9RIjcsTOKwswvD

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 17 IoCs

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

pid	process
1648	OK.EXE
1340	OK.EXE
976	OK.EXE
1220	OK.EXE
1336	OK.EXE
1772	OK.EXE
1160	OK.EXE
764	OK.EXE
1752	OK.EXE
1360	OK.EXE
2256	OK.EXE
2328	OK.EXE
2440	OK.EXE
2524	OK.EXE
2628	OK.EXE
2756	OK.EXE
2876	OK.EXE

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE

Loads dropped DLL 17 IoCs

Processes:

Mercurial.exeMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEconhost.exeOK.EXEMERCURIAL.EXE

pid	process
1672	Mercurial.exe
804	MERCURIAL.EXE
800	MERCURIAL.EXE
1868	MERCURIAL.EXE
1828	MERCURIAL.EXE
1796	MERCURIAL.EXE
616	MERCURIAL.EXE
688	MERCURIAL.EXE
1876	MERCURIAL.EXE
1244	MERCURIAL.EXE
1176	MERCURIAL.EXE
2244	MERCURIAL.EXE
2316	MERCURIAL.EXE
2392	MERCURIAL.EXE
2500	conhost.exe
2588	OK.EXE
2748	MERCURIAL.EXE

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

82 ip-api.com
83 ip-api.com

flow	ioc
82	ip-api.com
83	ip-api.com

Maps connected drives based on registry 3 TTPs 32 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 59 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
13960	3472	WerFault.exe	OK.EXE
13952	5740	WerFault.exe	OK.EXE
13572	4216	WerFault.exe	OK.EXE
13316	1480	WerFault.exe	OK.EXE
14008	3124	WerFault.exe	OK.EXE
13864	3896	WerFault.exe	OK.EXE
12836	1220	WerFault.exe	OK.EXE
12240	5068	WerFault.exe	OK.EXE
12828	1752	WerFault.exe	OK.EXE
11504	5844	WerFault.exe	OK.EXE
11740	4200	WerFault.exe	OK.EXE
12756	2052	WerFault.exe	OK.EXE
13420	2308	WerFault.exe	OK.EXE
11304	3868	WerFault.exe	OK.EXE
13024	1360	WerFault.exe	OK.EXE
12848	1772	WerFault.exe	OK.EXE
12688	3452	WerFault.exe	OK.EXE
11276	5164	WerFault.exe	OK.EXE
13624	2352	WerFault.exe	OK.EXE
12856	1336	WerFault.exe	OK.EXE
13640	5648	WerFault.exe	OK.EXE
12200	4684	WerFault.exe	OK.EXE
2436	2708	WerFault.exe	OK.EXE
11280	764	WerFault.exe	OK.EXE
13648	2256	WerFault.exe	OK.EXE
12728	1648	WerFault.exe	OK.EXE
14436	3784	WerFault.exe	OK.EXE
14428	5936	WerFault.exe	OK.EXE
14648	2936	WerFault.exe	OK.EXE
14640	3188	WerFault.exe	OK.EXE
14632	3692	WerFault.exe	OK.EXE
14624	3132	WerFault.exe	OK.EXE
14616	2252	WerFault.exe	OK.EXE
14608	3344	WerFault.exe	OK.EXE
14600	1340	WerFault.exe	OK.EXE
14592	11076	WerFault.exe	OK.EXE
14584	7640	WerFault.exe	OK.EXE
14576	4180	WerFault.exe	OK.EXE
14568	4680	WerFault.exe	OK.EXE
14560	2588	WerFault.exe	OK.EXE
14552	4472	WerFault.exe	OK.EXE
14544	7612	WerFault.exe	OK.EXE
14536	3536	WerFault.exe	OK.EXE
14528	3276	WerFault.exe	OK.EXE
14520	2328	WerFault.exe	OK.EXE
14512	8244	WerFault.exe	OK.EXE
14504	2440	WerFault.exe	OK.EXE
14496	8420	WerFault.exe	OK.EXE
14488	1160	WerFault.exe	OK.EXE
14480	2756	WerFault.exe	OK.EXE
14464	3916	WerFault.exe	OK.EXE
14456	11720	WerFault.exe	OK.EXE
14736	13604	WerFault.exe	OK.EXE
14420	3324	WerFault.exe	OK.EXE
14412	976	WerFault.exe	OK.EXE
14400	3624	WerFault.exe	OK.EXE
14392	2876	WerFault.exe	OK.EXE
14384	2524	WerFault.exe	OK.EXE
14376	2628	WerFault.exe	OK.EXE

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	pid	process
Token: SeDebugPrivilege	1340	OK.EXE
Token: SeDebugPrivilege	1220	OK.EXE
Token: SeDebugPrivilege	1772	OK.EXE
Token: SeDebugPrivilege	1336	OK.EXE
Token: SeDebugPrivilege	976	OK.EXE
Token: SeDebugPrivilege	1648	OK.EXE
Token: SeDebugPrivilege	1160	OK.EXE
Token: SeDebugPrivilege	764	OK.EXE
Token: SeDebugPrivilege	1752	OK.EXE
Token: SeDebugPrivilege	1360	OK.EXE
Token: SeDebugPrivilege	2256	OK.EXE
Token: SeDebugPrivilege	2328	OK.EXE
Token: SeDebugPrivilege	2440	OK.EXE
Token: SeDebugPrivilege	2524	OK.EXE
Token: SeDebugPrivilege	2628	OK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Mercurial.exeMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXE

description	pid	process	target process
PID 1672 wrote to memory of 804	1672	Mercurial.exe	MERCURIAL.EXE
PID 1672 wrote to memory of 804	1672	Mercurial.exe	MERCURIAL.EXE
PID 1672 wrote to memory of 804	1672	Mercurial.exe	MERCURIAL.EXE
PID 1672 wrote to memory of 804	1672	Mercurial.exe	MERCURIAL.EXE
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	OK.EXE
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	OK.EXE
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	OK.EXE
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	OK.EXE
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	MERCURIAL.EXE
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	MERCURIAL.EXE
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	MERCURIAL.EXE
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	MERCURIAL.EXE
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	OK.EXE
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	OK.EXE
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	OK.EXE
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	OK.EXE
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	MERCURIAL.EXE
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	MERCURIAL.EXE
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	MERCURIAL.EXE
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	MERCURIAL.EXE
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	OK.EXE
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	OK.EXE
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	OK.EXE
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	OK.EXE
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	MERCURIAL.EXE
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	MERCURIAL.EXE
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	MERCURIAL.EXE
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	MERCURIAL.EXE
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	OK.EXE
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	OK.EXE
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	OK.EXE
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	OK.EXE
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	MERCURIAL.EXE
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	MERCURIAL.EXE
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	MERCURIAL.EXE
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	MERCURIAL.EXE
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	OK.EXE
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	OK.EXE
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	OK.EXE
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	OK.EXE
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	MERCURIAL.EXE
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	MERCURIAL.EXE
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	MERCURIAL.EXE
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	MERCURIAL.EXE
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	OK.EXE
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	OK.EXE
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	OK.EXE
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	OK.EXE
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	MERCURIAL.EXE
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	MERCURIAL.EXE
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	MERCURIAL.EXE
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	MERCURIAL.EXE
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	OK.EXE
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	OK.EXE
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	OK.EXE
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	OK.EXE
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	MERCURIAL.EXE
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	MERCURIAL.EXE
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	MERCURIAL.EXE
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	MERCURIAL.EXE
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	OK.EXE
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	OK.EXE
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	OK.EXE
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	OK.EXE

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        Loads dropped DLL
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1752 -s 920
        11⤵
        Program crash
        
        PID:12828
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        Loads dropped DLL
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 764 -s 928
        10⤵
        Program crash
        
        PID:11280
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1160 -s 924
        9⤵
        Program crash
        
        PID:14488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1772 -s 928
        8⤵
        Program crash
        
        PID:12848
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1336 -s 1660
        7⤵
        Program crash
        
        PID:12856
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1220 -s 928
        6⤵
        Program crash
        
        PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:976
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 976 -s 928
        5⤵
        Program crash
        
        PID:14412
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1340 -s 900
      4⤵
      Program crash
      PID:14600
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1648 -s 928
    3⤵
    - Program crash
    PID:12728

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
- Loads dropped DLL
PID:1176
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  - Loads dropped DLL
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    - Loads dropped DLL
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      Loads dropped DLL
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:2936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2936 -s 900
        10⤵
        Program crash
        
        PID:14648
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:3188
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3188 -s 924
        18⤵
        Program crash
        
        PID:14640
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        18⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        19⤵
        
        PID:3324
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3324 -s 1680
        20⤵
        Program crash
        
        PID:14420
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        19⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        20⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        21⤵
        
        PID:3536
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3536 -s 1680
        22⤵
        Program crash
        
        PID:14536
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        21⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        22⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        23⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        24⤵
        
        PID:3916
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3916 -s 1068
        25⤵
        Program crash
        
        PID:14464
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        24⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        25⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        26⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        27⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        28⤵
        
        PID:3896
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3896 -s 924
        29⤵
        Program crash
        
        PID:13864
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        28⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        29⤵
        
        PID:3452
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3452 -s 924
        30⤵
        Program crash
        
        PID:12688
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        29⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        30⤵
        
        PID:3784
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3784 -s 920
        31⤵
        Program crash
        
        PID:14436
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        30⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        31⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        32⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        33⤵
        
        PID:4472
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4472 -s 932
        34⤵
        Program crash
        
        PID:14552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        33⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        34⤵
        
        PID:4684
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4684 -s 916
        35⤵
        Program crash
        
        PID:12200
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        34⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        35⤵
        
        PID:5068
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5068 -s 904
        36⤵
        Program crash
        
        PID:12240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        35⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        36⤵
        
        PID:4200
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4200 -s 1720
        37⤵
        Program crash
        
        PID:11740
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        36⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        37⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        38⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        39⤵
        
        PID:5164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5164 -s 1072
        40⤵
        Program crash
        
        PID:11276
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        39⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        40⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        41⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        42⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        43⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        44⤵
        
        PID:5740
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5740 -s 1836
        45⤵
        Program crash
        
        PID:13952
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        44⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        45⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        46⤵
        
        PID:5936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5936 -s 1036
        47⤵
        Program crash
        
        PID:14428
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        46⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        47⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        48⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        49⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        50⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        50⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        51⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        51⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        52⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        52⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        53⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        54⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        55⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        56⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        56⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        57⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        58⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        58⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        59⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        60⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        61⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        61⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        62⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        63⤵
        
        PID:7612
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7612 -s 1844
        64⤵
        Program crash
        
        PID:14544
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        63⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        62⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        60⤵
        
        PID:3868
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3868 -s 1808
        61⤵
        Program crash
        
        PID:11304
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        59⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        57⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        55⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        54⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        53⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        49⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        48⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        47⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        45⤵
        
        PID:5844
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5844 -s 924
        46⤵
        Program crash
        
        PID:11504
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        43⤵
        
        PID:5648
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5648 -s 920
        44⤵
        Program crash
        
        PID:13640
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        42⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        41⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        40⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        38⤵
        
        PID:4680
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4680 -s 1004
        39⤵
        Program crash
        
        PID:14568
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        37⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        32⤵
        
        PID:4216
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4216 -s 920
        33⤵
        Program crash
        
        PID:13572
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        31⤵
        
        PID:4180
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4180 -s 1664
        32⤵
        Program crash
        
        PID:14576
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        27⤵
        
        PID:2252
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2252 -s 1684
        28⤵
        Program crash
        
        PID:14616
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        26⤵
        
        PID:3344
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3344 -s 924
        27⤵
        Program crash
        
        PID:14608
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        25⤵
        
        PID:3132
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3132 -s 1664
        26⤵
        Program crash
        
        PID:14624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        23⤵
        
        PID:3692
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3692 -s 1664
        24⤵
        Program crash
        
        PID:14632
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        22⤵
        
        PID:3624
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3624 -s 928
        23⤵
        Program crash
        
        PID:14400
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        20⤵
        
        PID:3472
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3472 -s 1816
        21⤵
        Program crash
        
        PID:13960
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        18⤵
        
        PID:3276
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3276 -s 1672
        19⤵
        Program crash
        
        PID:14528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:3124
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3124 -s 928
        17⤵
        Program crash
        
        PID:14008
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:2708
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2708 -s 928
        16⤵
        Program crash
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:2352
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2352 -s 932
        15⤵
        Program crash
        
        PID:13624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:1480
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1480 -s 1664
        14⤵
        Program crash
        
        PID:13316
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2588 -s 1664
        13⤵
        Program crash
        
        PID:14560
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:2308
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2308 -s 900
        12⤵
        Program crash
        
        PID:13420
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:2052
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2052 -s 928
        11⤵
        Program crash
        
        PID:12756
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2876 -s 1660
        9⤵
        Program crash
        
        PID:14392
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        
        PID:2756
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2756 -s 1676
        8⤵
        Program crash
        
        PID:14480
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2628 -s 932
        7⤵
        Program crash
        
        PID:14376
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2524 -s 928
        6⤵
        Program crash
        
        PID:14384
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2440 -s 900
        5⤵
        Program crash
        
        PID:14504
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2328 -s 900
      4⤵
      Program crash
      PID:14520
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2256 -s 888
    3⤵
    - Program crash
    PID:13648

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1360 -s 896
  2⤵
  - Program crash
  PID:13024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1226518231-1564149598-2222764918755296971846005651-1268723383-2336262171644812017"
1⤵
- Loads dropped DLL
PID:2500

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:7768
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:7908
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:7892
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:8180
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:6520
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:8768
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:8860
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:8420
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8420 -s 1828
        11⤵
        Program crash
        
        PID:14496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:8244
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8244 -s 1840
        10⤵
        Program crash
        
        PID:14512
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:7640
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7640 -s 1820
        7⤵
        Program crash
        
        PID:14584
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:8116

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:8852
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:8764
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:9276
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:9604
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:9756
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:10260
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:10244
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:10328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:10580
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:10344
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:9728
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:9648
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:9300
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:8808

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:10628
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:10764
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:10852
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:10840
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:10968
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:11116
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:10332
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:10176
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:10136
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:11408
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:11400
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:11560
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:11704
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:11856
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:11848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:11076
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11076 -s 1836
        16⤵
        Program crash
        
        PID:14592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:10784
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:11452
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:12604
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        18⤵
        
        PID:13060
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        19⤵
        
        PID:13172
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        20⤵
        
        PID:12532
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        21⤵
        
        PID:13140
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        21⤵
        
        PID:11380
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        22⤵
        
        PID:13420
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        23⤵
        
        PID:13604
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13604 -s 1848
        24⤵
        Program crash
        
        PID:14736
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        23⤵
        
        PID:13596
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        24⤵
        
        PID:13868
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        25⤵
        
        PID:14012
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        26⤵
        
        PID:14148
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        27⤵
        
        PID:14240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        27⤵
        
        PID:14232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        28⤵
        
        PID:13052
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        29⤵
        
        PID:13884
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        29⤵
        
        PID:13852
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        30⤵
        
        PID:12700
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        30⤵
        
        PID:12732
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        31⤵
        
        PID:12856
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        32⤵
        
        PID:14232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        32⤵
        
        PID:13424
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        33⤵
        
        PID:12840
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        33⤵
        
        PID:14256
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        34⤵
        
        PID:12780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        35⤵
        
        PID:14992
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        36⤵
        
        PID:15316
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        37⤵
        
        PID:15300
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        38⤵
        
        PID:15236
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        38⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        37⤵
        
        PID:14924
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        36⤵
        
        PID:11680
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        35⤵
        
        PID:15328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        34⤵
        
        PID:15284
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        31⤵
        
        PID:12888
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        28⤵
        
        PID:12604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        26⤵
        
        PID:14176
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        25⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        24⤵
        
        PID:13896
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        22⤵
        
        PID:13436
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        20⤵
        
        PID:12908
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        19⤵
        
        PID:13184
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        18⤵
        
        PID:13068
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:10528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:12168
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:11720
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11720 -s 1844
        13⤵
        Program crash
        
        PID:14456
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:10584
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:10572
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:10976
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:10800

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:10640

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:15024
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:14444
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:15316
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:14532
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:7056
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:7364
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:15232
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:11472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:9808
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:11020
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:11268

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:15324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
memory/764-87-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/764-88-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/976-85-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/976-82-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1160-96-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1160-100-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/1220-93-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/1220-83-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1336-89-0x0000000000440000-0x0000000000442000-memory.dmp

Filesize
8KB

Download
memory/1340-86-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/1340-81-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1360-122-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1648-62-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1648-95-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/1648-60-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1672-53-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download
memory/1752-102-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/1752-101-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1772-84-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1772-94-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

Filesize
8KB

Download
memory/2256-126-0x000000001AE20000-0x000000001AE22000-memory.dmp

Filesize
8KB

Download
memory/2256-125-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2328-130-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2328-131-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/2440-133-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/2440-132-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2524-135-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/2524-134-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2628-136-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2628-137-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/2756-139-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/2756-138-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2876-162-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/2876-161-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2936-163-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download