Analysis
-
max time kernel
18s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Mercurial.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Mercurial.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Mercurial.exe
-
Size
3.2MB
-
MD5
2168322c604dda24529ab10ffb63603c
-
SHA1
325b8e0a7a13a5b6b2d13cb4a796c05f97ee9d12
-
SHA256
b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646
-
SHA512
85b00c8a77048d5175ac99b2172c4a4c6b4348013ca419c723d20dfcedc6e2bafde1cad4ab41897ef7892112108888763881215650a6cb32fdb01a9cfde99564
Score
10/10
Malware Config
Extracted
Family
mercurialgrabber
C2
https://discord.com/api/webhooks/939772339271385098/pb40yymlaC36gJ9lrIZE64Tin0HhFVa5fet-muKugdctzZ9wq34Ecu9RIjcsTOKwswvD
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs
description pid Process procid_target PID 4376 created 3572 4376 WerFault.exe 201 PID 3796 created 1380 3796 WerFault.exe 64 PID 4092 created 3352 4092 WerFault.exe 73 PID 4384 created 3636 4384 MERCURIAL.EXE 76 PID 4240 created 1368 4240 WerFault.exe 70 PID 4352 created 1412 4352 WerFault.exe 79 PID 4512 created 2280 4512 WerFault.exe 126 PID 5012 created 4176 5012 WerFault.exe 86 PID 4376 created 4356 4376 WerFault.exe 89 PID 4640 created 4724 4640 WerFault.exe 95 PID 4404 created 4536 4404 WerFault.exe 232 PID 3476 created 4876 3476 WerFault.exe 97 -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 19 IoCs
pid Process 1380 OK.EXE 3572 OK.EXE 1368 OK.EXE 3352 OK.EXE 3636 OK.EXE 1412 OK.EXE 2280 OK.EXE 4176 OK.EXE 4356 OK.EXE 4536 MERCURIAL.EXE 4724 OK.EXE 4876 OK.EXE 5100 Conhost.exe 4780 MERCURIAL.EXE 4332 OK.EXE 4056 OK.EXE 2280 OK.EXE 3540 OK.EXE 4716 OK.EXE -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 17 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OK.EXE -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Mercurial.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation OK.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation MERCURIAL.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ip-api.com -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Conhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MERCURIAL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OK.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 64 IoCs
pid pid_target Process procid_target 4720 3572 WerFault.exe 67 4588 3636 WerFault.exe 76 4920 3352 WerFault.exe 73 5068 1380 WerFault.exe 64 4828 4536 WerFault.exe 93 4604 4724 WerFault.exe 95 4992 4876 WerFault.exe 97 3460 5100 WerFault.exe 102 1936 4780 WerFault.exe 116 4828 4332 WerFault.exe 119 4932 4056 WerFault.exe 121 464 2280 WerFault.exe 126 4948 3540 WerFault.exe 132 4372 4716 WerFault.exe 139 1864 4040 WerFault.exe 144 2040 1312 WerFault.exe 148 4516 1492 WerFault.exe 152 4160 4124 WerFault.exe 154 1976 5092 WerFault.exe 160 5060 3736 WerFault.exe 165 2464 4712 WerFault.exe 171 3028 3496 WerFault.exe 173 4824 1512 WerFault.exe 180 4128 5024 WerFault.exe 190 1784 2972 WerFault.exe 185 15736 6820 WerFault.exe 305 15848 740 WerFault.exe 205 16232 11932 WerFault.exe 455 5536 6540 WerFault.exe 299 8408 8264 WerFault.exe 353 15880 7528 WerFault.exe 329 9780 860 WerFault.exe 254 4760 4280 WerFault.exe 257 5920 8696 WerFault.exe 364 5776 3776 WerFault.exe 375 5676 8572 WerFault.exe 359 6416 9556 WerFault.exe 388 11444 9788 WerFault.exe 391 5792 9336 WerFault.exe 400 880 10808 WerFault.exe 424 1572 10944 WerFault.exe 427 7804 12184 WerFault.exe 458 4984 11480 WerFault.exe 465 4092 12616 WerFault.exe 471 11848 12384 WerFault.exe 474 10464 13492 WerFault.exe 477 5360 13732 WerFault.exe 480 6852 13952 WerFault.exe 483 14448 14228 WerFault.exe 486 5084 7132 WerFault.exe 489 11816 13648 WerFault.exe 492 8012 4328 WerFault.exe 495 8456 1300 WerFault.exe 497 8648 11308 WerFault.exe 502 11820 14344 WerFault.exe 503 10156 14600 WerFault.exe 507 13360 8336 WerFault.exe 721 14948 15772 WerFault.exe 544 8216 15996 WerFault.exe 534 14216 7568 WerFault.exe 703 7884 11692 WerFault.exe 747 2976 6072 WerFault.exe 625 10772 10280 WerFault.exe 692 2168 10208 WerFault.exe 682 -
Checks SCSI registry key(s) 3 TTPs 17 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S MERCURIAL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S MERCURIAL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OK.EXE -
Checks processor information in registry 2 TTPs 40 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MERCURIAL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 MERCURIAL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OK.EXE -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OK.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation MERCURIAL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OK.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4588 WerFault.exe 4588 WerFault.exe 5068 WerFault.exe 5068 WerFault.exe 4920 Process not Found 4920 Process not Found 4720 WerFault.exe 4720 WerFault.exe 4604 WerFault.exe 4604 WerFault.exe 4828 MERCURIAL.EXE 4828 MERCURIAL.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1380 OK.EXE Token: SeDebugPrivilege 3572 OK.EXE Token: SeDebugPrivilege 1368 OK.EXE Token: SeDebugPrivilege 3352 OK.EXE Token: SeDebugPrivilege 3636 OK.EXE Token: SeDebugPrivilege 1412 OK.EXE Token: SeDebugPrivilege 2280 OK.EXE Token: SeDebugPrivilege 4176 OK.EXE Token: SeDebugPrivilege 4356 OK.EXE Token: SeDebugPrivilege 4536 MERCURIAL.EXE Token: SeDebugPrivilege 4724 OK.EXE Token: SeDebugPrivilege 4876 OK.EXE Token: SeDebugPrivilege 5100 Conhost.exe Token: SeDebugPrivilege 4780 MERCURIAL.EXE Token: SeDebugPrivilege 4332 OK.EXE Token: SeDebugPrivilege 4056 OK.EXE Token: SeDebugPrivilege 2280 OK.EXE Token: SeDebugPrivilege 3540 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3564 wrote to memory of 3020 3564 Mercurial.exe 63 PID 3564 wrote to memory of 3020 3564 Mercurial.exe 63 PID 3564 wrote to memory of 3020 3564 Mercurial.exe 63 PID 3564 wrote to memory of 1380 3564 Mercurial.exe 64 PID 3564 wrote to memory of 1380 3564 Mercurial.exe 64 PID 3020 wrote to memory of 1232 3020 MERCURIAL.EXE 66 PID 3020 wrote to memory of 1232 3020 MERCURIAL.EXE 66 PID 3020 wrote to memory of 1232 3020 MERCURIAL.EXE 66 PID 3020 wrote to memory of 3572 3020 MERCURIAL.EXE 67 PID 3020 wrote to memory of 3572 3020 MERCURIAL.EXE 67 PID 1232 wrote to memory of 3960 1232 MERCURIAL.EXE 69 PID 1232 wrote to memory of 3960 1232 MERCURIAL.EXE 69 PID 1232 wrote to memory of 3960 1232 MERCURIAL.EXE 69 PID 1232 wrote to memory of 1368 1232 MERCURIAL.EXE 70 PID 1232 wrote to memory of 1368 1232 MERCURIAL.EXE 70 PID 3960 wrote to memory of 2956 3960 MERCURIAL.EXE 72 PID 3960 wrote to memory of 2956 3960 MERCURIAL.EXE 72 PID 3960 wrote to memory of 2956 3960 MERCURIAL.EXE 72 PID 3960 wrote to memory of 3352 3960 Process not Found 73 PID 3960 wrote to memory of 3352 3960 Process not Found 73 PID 1340 wrote to memory of 2984 1340 MERCURIAL.EXE 78 PID 1340 wrote to memory of 2984 1340 MERCURIAL.EXE 78 PID 1340 wrote to memory of 2984 1340 MERCURIAL.EXE 78 PID 1340 wrote to memory of 1412 1340 MERCURIAL.EXE 79 PID 1340 wrote to memory of 1412 1340 MERCURIAL.EXE 79 PID 2984 wrote to memory of 3936 2984 MERCURIAL.EXE 248 PID 2984 wrote to memory of 3936 2984 MERCURIAL.EXE 248 PID 2984 wrote to memory of 3936 2984 MERCURIAL.EXE 248 PID 2984 wrote to memory of 2280 2984 MERCURIAL.EXE 126 PID 2984 wrote to memory of 2280 2984 MERCURIAL.EXE 126 PID 3936 wrote to memory of 4140 3936 WaaSMedicAgent.exe 85 PID 3936 wrote to memory of 4140 3936 WaaSMedicAgent.exe 85 PID 3936 wrote to memory of 4140 3936 WaaSMedicAgent.exe 85 PID 3936 wrote to memory of 4176 3936 WaaSMedicAgent.exe 86 PID 3936 wrote to memory of 4176 3936 WaaSMedicAgent.exe 86 PID 4140 wrote to memory of 4332 4140 MERCURIAL.EXE 119 PID 4140 wrote to memory of 4332 4140 MERCURIAL.EXE 119 PID 4140 wrote to memory of 4332 4140 MERCURIAL.EXE 119 PID 4140 wrote to memory of 4356 4140 MERCURIAL.EXE 89 PID 4140 wrote to memory of 4356 4140 MERCURIAL.EXE 89 PID 4332 wrote to memory of 4528 4332 OK.EXE 91 PID 4332 wrote to memory of 4528 4332 OK.EXE 91 PID 4332 wrote to memory of 4528 4332 OK.EXE 91 PID 4332 wrote to memory of 4536 4332 OK.EXE 232 PID 4332 wrote to memory of 4536 4332 OK.EXE 232 PID 4528 wrote to memory of 4708 4528 MERCURIAL.EXE 94 PID 4528 wrote to memory of 4708 4528 MERCURIAL.EXE 94 PID 4528 wrote to memory of 4708 4528 MERCURIAL.EXE 94 PID 4528 wrote to memory of 4724 4528 MERCURIAL.EXE 95 PID 4528 wrote to memory of 4724 4528 MERCURIAL.EXE 95 PID 4708 wrote to memory of 4848 4708 MERCURIAL.EXE 98 PID 4708 wrote to memory of 4848 4708 MERCURIAL.EXE 98 PID 4708 wrote to memory of 4848 4708 MERCURIAL.EXE 98 PID 4708 wrote to memory of 4876 4708 MERCURIAL.EXE 97 PID 4708 wrote to memory of 4876 4708 MERCURIAL.EXE 97 PID 4848 wrote to memory of 5056 4848 MERCURIAL.EXE 101 PID 4848 wrote to memory of 5056 4848 MERCURIAL.EXE 101 PID 4848 wrote to memory of 5056 4848 MERCURIAL.EXE 101 PID 4848 wrote to memory of 5100 4848 MERCURIAL.EXE 407 PID 4848 wrote to memory of 5100 4848 MERCURIAL.EXE 407 PID 4376 wrote to memory of 3572 4376 WerFault.exe 201 PID 4376 wrote to memory of 3572 4376 WerFault.exe 201 PID 3796 wrote to memory of 1380 3796 WerFault.exe 64 PID 3796 wrote to memory of 1380 3796 WerFault.exe 64
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"5⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"8⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"9⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"10⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"12⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4876 -s 200814⤵
- Program crash
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"13⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"14⤵
- Checks computer location settings
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"15⤵
- Checks computer location settings
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"16⤵
- Checks computer location settings
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4056 -s 203218⤵
- Program crash
PID:4932
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"17⤵
- Checks computer location settings
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"18⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2280 -s 199219⤵
- Program crash
PID:464
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"18⤵
- Checks computer location settings
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"19⤵
- Checks computer location settings
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"20⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"21⤵PID:4040
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4040 -s 202022⤵
- Program crash
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"21⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"22⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"23⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"24⤵PID:4124
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4124 -s 203225⤵
- Program crash
PID:4160
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"24⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"25⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"26⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"27⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"28⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"29⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"30⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"31⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"32⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"33⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"34⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"35⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"36⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"37⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"38⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"39⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"40⤵PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"40⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"41⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"42⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"43⤵PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"43⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"44⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"45⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"46⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"47⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"48⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"49⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"50⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"51⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"52⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"53⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"54⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"55⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"56⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"57⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"58⤵PID:6176
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"59⤵PID:6316
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"60⤵PID:6508
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"61⤵PID:6664
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"62⤵PID:6784
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"63⤵PID:6956
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"64⤵PID:7128
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"65⤵PID:6412
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"66⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"67⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"68⤵PID:7180
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"69⤵PID:7304
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"70⤵PID:7508
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"71⤵PID:7668
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"72⤵PID:7812
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"73⤵PID:7988
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"74⤵PID:8136
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"75⤵PID:7480
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"76⤵PID:7964
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"77⤵PID:7904
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"78⤵PID:8248
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"79⤵PID:8400
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"80⤵PID:8548
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"81⤵PID:8656
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"82⤵PID:8924
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"83⤵PID:9084
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"84⤵PID:8212
-
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"85⤵PID:3776
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3776 -s 195686⤵
- Program crash
PID:5776
-
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"85⤵PID:8548
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"86⤵PID:8720
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"87⤵PID:9264
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"88⤵PID:9420
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"89⤵PID:9524
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"90⤵PID:9732
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"91⤵PID:9932
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"92⤵PID:10088
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"93⤵PID:9004
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"94⤵PID:9760
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"95⤵PID:10028
-
C:\Users\Admin\AppData\Local\Temp\OK.EXE"C:\Users\Admin\AppData\Local\Temp\OK.EXE"96⤵PID:8808
-
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"96⤵PID:9488
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"97⤵PID:9868
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"98⤵PID:10304
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"99⤵PID:10456
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"100⤵PID:10620
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"101⤵PID:10760
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"102⤵PID:10924
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"103⤵PID:11092
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"104⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"105⤵PID:10708
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"106⤵PID:10960
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"107⤵PID:6164
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"108⤵PID:11276
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"109⤵PID:11416
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"110⤵PID:11512
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"111⤵PID:11904
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"112⤵PID:12144
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"113⤵PID:12272
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"114⤵PID:11476
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"115⤵PID:12220
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"116⤵PID:12604
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"117⤵PID:12500
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"118⤵PID:13476
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"119⤵PID:13720
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"120⤵PID:13920
-
C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"121⤵PID:14164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-