mercurialgrabber | b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646

Analysis

max time kernel
3s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.exe
Size

3.2MB
MD5

2168322c604dda24529ab10ffb63603c
SHA1

325b8e0a7a13a5b6b2d13cb4a796c05f97ee9d12
SHA256

b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646
SHA512

85b00c8a77048d5175ac99b2172c4a4c6b4348013ca419c723d20dfcedc6e2bafde1cad4ab41897ef7892112108888763881215650a6cb32fdb01a9cfde99564

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/939772339271385098/pb40yymlaC36gJ9lrIZE64Tin0HhFVa5fet-muKugdctzZ9wq34Ecu9RIjcsTOKwswvD

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 17 IoCs

pid	Process
1648	OK.EXE
1340	OK.EXE
976	OK.EXE
1220	OK.EXE
1336	OK.EXE
1772	OK.EXE
1160	OK.EXE
764	OK.EXE
1752	OK.EXE
1360	OK.EXE
2256	OK.EXE
2328	OK.EXE
2440	OK.EXE
2524	OK.EXE
2628	OK.EXE
2756	OK.EXE
2876	OK.EXE

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE

Loads dropped DLL 17 IoCs

pid	Process
1672	Mercurial.exe
804	MERCURIAL.EXE
800	MERCURIAL.EXE
1868	MERCURIAL.EXE
1828	MERCURIAL.EXE
1796	MERCURIAL.EXE
616	MERCURIAL.EXE
688	MERCURIAL.EXE
1876	MERCURIAL.EXE
1244	MERCURIAL.EXE
1176	MERCURIAL.EXE
2244	MERCURIAL.EXE
2316	MERCURIAL.EXE
2392	MERCURIAL.EXE
2500	conhost.exe
2588	OK.EXE
2748	MERCURIAL.EXE

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	ip-api.com
83	ip-api.com

Maps connected drives based on registry 3 TTPs 32 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 59 IoCs

pid	pid_target	Process	procid_target
13960	3472	WerFault.exe	113
13952	5740	WerFault.exe	183
13572	4216	WerFault.exe	147
13316	1480	WerFault.exe	91
14008	3124	WerFault.exe	101
13864	3896	WerFault.exe	136
12836	1220	WerFault.exe	38
12240	5068	WerFault.exe	157
12828	1752	WerFault.exe	54
11504	5844	WerFault.exe	187
11740	4200	WerFault.exe	160
12756	2052	WerFault.exe	82
13420	2308	WerFault.exe	86
11304	3868	WerFault.exe	232
13024	1360	WerFault.exe	53
12848	1772	WerFault.exe	43
12688	3452	WerFault.exe	138
11276	5164	WerFault.exe	168
13624	2352	WerFault.exe	94
12856	1336	WerFault.exe	41
13640	5648	WerFault.exe	181
12200	4684	WerFault.exe	154
2436	2708	WerFault.exe	98
11280	764	WerFault.exe	49
13648	2256	WerFault.exe	59
12728	1648	WerFault.exe	29
14436	3784	WerFault.exe	142
14428	5936	WerFault.exe	190
14648	2936	WerFault.exe	77
14640	3188	WerFault.exe	102
14632	3692	WerFault.exe	121
14624	3132	WerFault.exe	127
14616	2252	WerFault.exe	134
14608	3344	WerFault.exe	131
14600	1340	WerFault.exe	31
14592	11076	WerFault.exe	380
14584	7640	WerFault.exe	261
14576	4180	WerFault.exe	149
14568	4680	WerFault.exe	165
14560	2588	WerFault.exe	89
14552	4472	WerFault.exe	150
14544	7612	WerFault.exe	245
14536	3536	WerFault.exe	115
14528	3276	WerFault.exe	106
14520	2328	WerFault.exe	62
14512	8244	WerFault.exe	270
14504	2440	WerFault.exe	65
14496	8420	WerFault.exe	273
14488	1160	WerFault.exe	47
14480	2756	WerFault.exe	73
14464	3916	WerFault.exe	124
14456	11720	WerFault.exe	371
14736	13604	WerFault.exe	404
14420	3324	WerFault.exe	109
14412	976	WerFault.exe	35
14400	3624	WerFault.exe	119
14392	2876	WerFault.exe	80
14384	2524	WerFault.exe	67
14376	2628	WerFault.exe	71

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	OK.EXE
Token: SeDebugPrivilege	1220	OK.EXE
Token: SeDebugPrivilege	1772	OK.EXE
Token: SeDebugPrivilege	1336	OK.EXE
Token: SeDebugPrivilege	976	OK.EXE
Token: SeDebugPrivilege	1648	OK.EXE
Token: SeDebugPrivilege	1160	OK.EXE
Token: SeDebugPrivilege	764	OK.EXE
Token: SeDebugPrivilege	1752	OK.EXE
Token: SeDebugPrivilege	1360	OK.EXE
Token: SeDebugPrivilege	2256	OK.EXE
Token: SeDebugPrivilege	2328	OK.EXE
Token: SeDebugPrivilege	2440	OK.EXE
Token: SeDebugPrivilege	2524	OK.EXE
Token: SeDebugPrivilege	2628	OK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 804	1672	Mercurial.exe	27
PID 1672 wrote to memory of 804	1672	Mercurial.exe	27
PID 1672 wrote to memory of 804	1672	Mercurial.exe	27
PID 1672 wrote to memory of 804	1672	Mercurial.exe	27
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	29
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	29
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	29
PID 1672 wrote to memory of 1648	1672	Mercurial.exe	29
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	30
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	30
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	30
PID 804 wrote to memory of 800	804	MERCURIAL.EXE	30
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	31
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	31
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	31
PID 804 wrote to memory of 1340	804	MERCURIAL.EXE	31
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	33
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	33
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	33
PID 800 wrote to memory of 1868	800	MERCURIAL.EXE	33
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	35
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	35
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	35
PID 800 wrote to memory of 976	800	MERCURIAL.EXE	35
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	36
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	36
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	36
PID 1868 wrote to memory of 1828	1868	MERCURIAL.EXE	36
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	38
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	38
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	38
PID 1868 wrote to memory of 1220	1868	MERCURIAL.EXE	38
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	81
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	81
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	81
PID 1828 wrote to memory of 1796	1828	MERCURIAL.EXE	81
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	41
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	41
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	41
PID 1828 wrote to memory of 1336	1828	MERCURIAL.EXE	41
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	42
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	42
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	42
PID 1796 wrote to memory of 616	1796	MERCURIAL.EXE	42
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	43
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	43
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	43
PID 1796 wrote to memory of 1772	1796	MERCURIAL.EXE	43
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	45
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	45
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	45
PID 616 wrote to memory of 688	616	MERCURIAL.EXE	45
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	47
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	47
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	47
PID 616 wrote to memory of 1160	616	MERCURIAL.EXE	47
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	48
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	48
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	48
PID 688 wrote to memory of 1876	688	MERCURIAL.EXE	48
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	49
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	49
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	49
PID 688 wrote to memory of 764	688	MERCURIAL.EXE	49

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        Loads dropped DLL
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1752 -s 920
        11⤵
        Program crash
        
        PID:12828
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        Loads dropped DLL
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 764 -s 928
        10⤵
        Program crash
        
        PID:11280
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1160 -s 924
        9⤵
        Program crash
        
        PID:14488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1772 -s 928
        8⤵
        Program crash
        
        PID:12848
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1336 -s 1660
        7⤵
        Program crash
        
        PID:12856
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1220 -s 928
        6⤵
        Program crash
        
        PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:976
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 976 -s 928
        5⤵
        Program crash
        
        PID:14412
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1340 -s 900
      4⤵
      Program crash
      PID:14600
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1648 -s 928
    3⤵
    - Program crash
    PID:12728

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
- Loads dropped DLL
PID:1176
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  - Loads dropped DLL
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    - Loads dropped DLL
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      Loads dropped DLL
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:2936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2936 -s 900
        10⤵
        Program crash
        
        PID:14648
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:3188
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3188 -s 924
        18⤵
        Program crash
        
        PID:14640
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        18⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        19⤵
        
        PID:3324
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3324 -s 1680
        20⤵
        Program crash
        
        PID:14420
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        19⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        20⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        21⤵
        
        PID:3536
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3536 -s 1680
        22⤵
        Program crash
        
        PID:14536
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        21⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        22⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        23⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        24⤵
        
        PID:3916
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3916 -s 1068
        25⤵
        Program crash
        
        PID:14464
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        24⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        25⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        26⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        27⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        28⤵
        
        PID:3896
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3896 -s 924
        29⤵
        Program crash
        
        PID:13864
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        28⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        29⤵
        
        PID:3452
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3452 -s 924
        30⤵
        Program crash
        
        PID:12688
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        29⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        30⤵
        
        PID:3784
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3784 -s 920
        31⤵
        Program crash
        
        PID:14436
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        30⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        31⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        32⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        33⤵
        
        PID:4472
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4472 -s 932
        34⤵
        Program crash
        
        PID:14552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        33⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        34⤵
        
        PID:4684
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4684 -s 916
        35⤵
        Program crash
        
        PID:12200
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        34⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        35⤵
        
        PID:5068
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5068 -s 904
        36⤵
        Program crash
        
        PID:12240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        35⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        36⤵
        
        PID:4200
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4200 -s 1720
        37⤵
        Program crash
        
        PID:11740
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        36⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        37⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        38⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        39⤵
        
        PID:5164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5164 -s 1072
        40⤵
        Program crash
        
        PID:11276
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        39⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        40⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        41⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        42⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        43⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        44⤵
        
        PID:5740
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5740 -s 1836
        45⤵
        Program crash
        
        PID:13952
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        44⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        45⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        46⤵
        
        PID:5936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5936 -s 1036
        47⤵
        Program crash
        
        PID:14428
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        46⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        47⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        48⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        49⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        50⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        50⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        51⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        51⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        52⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        52⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        53⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        54⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        55⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        56⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        56⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        57⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        58⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        58⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        59⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        60⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        61⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        61⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        62⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        63⤵
        
        PID:7612
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7612 -s 1844
        64⤵
        Program crash
        
        PID:14544
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        63⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        62⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        60⤵
        
        PID:3868
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3868 -s 1808
        61⤵
        Program crash
        
        PID:11304
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        59⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        57⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        55⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        54⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        53⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        49⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        48⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        47⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        45⤵
        
        PID:5844
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5844 -s 924
        46⤵
        Program crash
        
        PID:11504
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        43⤵
        
        PID:5648
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5648 -s 920
        44⤵
        Program crash
        
        PID:13640
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        42⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        41⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        40⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        38⤵
        
        PID:4680
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4680 -s 1004
        39⤵
        Program crash
        
        PID:14568
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        37⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        32⤵
        
        PID:4216
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4216 -s 920
        33⤵
        Program crash
        
        PID:13572
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        31⤵
        
        PID:4180
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4180 -s 1664
        32⤵
        Program crash
        
        PID:14576
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        27⤵
        
        PID:2252
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2252 -s 1684
        28⤵
        Program crash
        
        PID:14616
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        26⤵
        
        PID:3344
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3344 -s 924
        27⤵
        Program crash
        
        PID:14608
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        25⤵
        
        PID:3132
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3132 -s 1664
        26⤵
        Program crash
        
        PID:14624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        23⤵
        
        PID:3692
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3692 -s 1664
        24⤵
        Program crash
        
        PID:14632
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        22⤵
        
        PID:3624
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3624 -s 928
        23⤵
        Program crash
        
        PID:14400
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        20⤵
        
        PID:3472
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3472 -s 1816
        21⤵
        Program crash
        
        PID:13960
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        18⤵
        
        PID:3276
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3276 -s 1672
        19⤵
        Program crash
        
        PID:14528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:3124
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3124 -s 928
        17⤵
        Program crash
        
        PID:14008
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:2708
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2708 -s 928
        16⤵
        Program crash
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:2352
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2352 -s 932
        15⤵
        Program crash
        
        PID:13624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:1480
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1480 -s 1664
        14⤵
        Program crash
        
        PID:13316
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2588 -s 1664
        13⤵
        Program crash
        
        PID:14560
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:2308
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2308 -s 900
        12⤵
        Program crash
        
        PID:13420
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:2052
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2052 -s 928
        11⤵
        Program crash
        
        PID:12756
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2876 -s 1660
        9⤵
        Program crash
        
        PID:14392
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        
        PID:2756
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2756 -s 1676
        8⤵
        Program crash
        
        PID:14480
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2628 -s 932
        7⤵
        Program crash
        
        PID:14376
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2524 -s 928
        6⤵
        Program crash
        
        PID:14384
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2440 -s 900
        5⤵
        Program crash
        
        PID:14504
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2328 -s 900
      4⤵
      Program crash
      PID:14520
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2256 -s 888
    3⤵
    - Program crash
    PID:13648

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1360 -s 896
  2⤵
  - Program crash
  PID:13024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1226518231-1564149598-2222764918755296971846005651-1268723383-2336262171644812017"
1⤵
- Loads dropped DLL
PID:2500

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:7768
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:7908
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:7892
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:8180
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:6520
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:8768
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:8860
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:8420
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8420 -s 1828
        11⤵
        Program crash
        
        PID:14496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:8244
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8244 -s 1840
        10⤵
        Program crash
        
        PID:14512
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:7640
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7640 -s 1820
        7⤵
        Program crash
        
        PID:14584
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:8116

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:8852
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:8764
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:9276
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:9604
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:9756
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:10260
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:10244
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:10328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:10580
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:10344
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:9728
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:9648
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:9300
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:8808

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:10628
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:10764
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:10852
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:10840
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:10968
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:11116
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:10332
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:10176
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:10136
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        
        PID:11408
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:11400
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:11560
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        
        PID:11704
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        
        PID:11856
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        
        PID:11848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:11076
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11076 -s 1836
        16⤵
        Program crash
        
        PID:14592
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        
        PID:10784
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        
        PID:11452
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        
        PID:12604
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        18⤵
        
        PID:13060
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        19⤵
        
        PID:13172
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        20⤵
        
        PID:12532
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        21⤵
        
        PID:13140
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        21⤵
        
        PID:11380
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        22⤵
        
        PID:13420
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        23⤵
        
        PID:13604
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13604 -s 1848
        24⤵
        Program crash
        
        PID:14736
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        23⤵
        
        PID:13596
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        24⤵
        
        PID:13868
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        25⤵
        
        PID:14012
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        26⤵
        
        PID:14148
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        27⤵
        
        PID:14240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        27⤵
        
        PID:14232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        28⤵
        
        PID:13052
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        29⤵
        
        PID:13884
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        29⤵
        
        PID:13852
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        30⤵
        
        PID:12700
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        30⤵
        
        PID:12732
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        31⤵
        
        PID:12856
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        32⤵
        
        PID:14232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        32⤵
        
        PID:13424
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        33⤵
        
        PID:12840
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        33⤵
        
        PID:14256
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        34⤵
        
        PID:12780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        35⤵
        
        PID:14992
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        36⤵
        
        PID:15316
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        37⤵
        
        PID:15300
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        38⤵
        
        PID:15236
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        38⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        37⤵
        
        PID:14924
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        36⤵
        
        PID:11680
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        35⤵
        
        PID:15328
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        34⤵
        
        PID:15284
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        31⤵
        
        PID:12888
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        28⤵
        
        PID:12604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        26⤵
        
        PID:14176
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        25⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        24⤵
        
        PID:13896
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        22⤵
        
        PID:13436
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        20⤵
        
        PID:12908
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        19⤵
        
        PID:13184
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        18⤵
        
        PID:13068
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        
        PID:10528
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:12168
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        
        PID:11720
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11720 -s 1844
        13⤵
        Program crash
        
        PID:14456
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:10584
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        
        PID:10572
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:10976
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:10800

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:10640

C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
1⤵
PID:15024
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    PID:14444
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    PID:15316
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      PID:14532
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      PID:7056
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        
        PID:7364
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:15232
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        
        PID:11472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        
        PID:9808
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:11020
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  PID:11268

C:\Users\Admin\AppData\Local\Temp\OK.EXE
"C:\Users\Admin\AppData\Local\Temp\OK.EXE"
1⤵
PID:15324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-87-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/764-88-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/976-85-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/976-82-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1160-96-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1160-100-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/1220-93-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/1220-83-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1336-89-0x0000000000440000-0x0000000000442000-memory.dmp

Filesize
8KB

Download
memory/1340-86-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/1340-81-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1360-122-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1648-62-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1648-95-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/1648-60-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1672-53-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download
memory/1752-102-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/1752-101-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1772-84-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/1772-94-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

Filesize
8KB

Download
memory/2256-126-0x000000001AE20000-0x000000001AE22000-memory.dmp

Filesize
8KB

Download
memory/2256-125-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2328-130-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2328-131-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/2440-133-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/2440-132-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2524-135-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/2524-134-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2628-136-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2628-137-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/2756-139-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/2756-138-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2876-162-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/2876-161-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2936-163-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads