Analysis
-
max time kernel
625s -
max time network
627s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 18:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/NightfallGT/Mercurial-Grabber/releases/download/v1.0/Mercurial.Grabber.v1.03.rar
Resource
win10v2004-20220812-en
General
-
Target
https://github.com/NightfallGT/Mercurial-Grabber/releases/download/v1.0/Mercurial.Grabber.v1.03.rar
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1012429981684600883/LWtnCGmn_bF1uTSoWs7byLfVjb-yFKwWAwmtgIn3Noz0ASP9w56nEJnjskpxVlCEYRXx
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs
Processes:
PulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PulaExe.exe -
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeWinRAR.exeWinRAR.exeWinRAR.exeMercurial.exeMercurial.exeoutput.exeoutput.exeMercurial.exePulaExe.exePulaExe.exeMercurial.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exeoutput.exepid Process 3512 winrar-x64-611.exe 3520 uninstall.exe 4752 WinRAR.exe 3028 WinRAR.exe 1068 WinRAR.exe 2368 WinRAR.exe 4760 Mercurial.exe 2736 Mercurial.exe 1276 output.exe 1884 output.exe 1408 Mercurial.exe 4864 PulaExe.exe 3784 PulaExe.exe 2980 Mercurial.exe 1888 Plaece.exe 708 Plaece.exe 1760 Plaece.exe 4808 Plaece.exe 3488 Plaece.exe 696 Plaece.exe 3988 Plaece.exe 4676 Plaece.exe 1156 Plaece.exe 5184 Plaece.exe 5440 PulaExe.exe 5508 PulaExe.exe 5612 PulaExe.exe 5764 PulaExe.exe 6056 output.exe -
Looks for VMWare Tools registry key 2 TTPs 6 IoCs
Processes:
PulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PulaExe.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PulaExe.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-611.exeWinRAR.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WinRAR.exe -
Loads dropped DLL 2 IoCs
Processes:
pid Process 2824 2824 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 21 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 414 ip4.seeip.org 436 ip4.seeip.org 437 ip4.seeip.org 303 ip4.seeip.org 405 ip4.seeip.org 411 ip4.seeip.org 450 ip4.seeip.org 380 ip4.seeip.org 393 ip4.seeip.org 438 ip4.seeip.org 425 ip4.seeip.org 296 ip4.seeip.org 384 ip4.seeip.org 408 ip4.seeip.org 418 ip4.seeip.org 426 ip4.seeip.org 429 ip4.seeip.org 439 ip4.seeip.org 297 ip4.seeip.org 298 ip-api.com 406 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 12 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PulaExe.exe -
Drops file in Program Files directory 62 IoCs
Processes:
winrar-x64-611.exechrome.exeuninstall.exedescription ioc Process File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\readme.txt chrome.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Mercurial.exe chrome.exe File opened for modification C:\Program Files\WinRAR winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240613921 winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1296 4760 WerFault.exe 178 1048 4760 WerFault.exe 178 5384 3488 WerFault.exe 288 5408 4808 WerFault.exe 286 5796 696 WerFault.exe 290 5408 5764 WerFault.exe 312 5548 5508 WerFault.exe 307 3208 5184 WerFault.exe 298 2120 5612 WerFault.exe 309 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
PulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PulaExe.exe -
Checks processor information in registry 2 TTPs 34 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Plaece.exePlaece.exePulaExe.exeoutput.exePulaExe.exePulaExe.exePlaece.exePlaece.exePulaExe.exePulaExe.exePlaece.exePlaece.exePlaece.exeoutput.exePlaece.exePlaece.exePulaExe.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Plaece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PulaExe.exe -
Enumerates system info in registry 2 TTPs 39 IoCs
Processes:
PulaExe.exePulaExe.exechrome.exemsedge.exechrome.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exechrome.exechrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PulaExe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PulaExe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
WinRAR.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exeMercurial.exechrome.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Mercurial.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r00 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "6" Mercurial.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Mercurial.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 14002e80922b16d365937a46956b92703aca08af0000 Mercurial.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Mercurial.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r29 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Mercurial.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Mercurial.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Mercurial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r09 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents" Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Mercurial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xz uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg Mercurial.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Mercurial.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" Mercurial.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Mercurial.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff Mercurial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 Mercurial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r23 uninstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeMercurial.exeMercurial.exechrome.exechrome.exechrome.exechrome.exechrome.exemsedge.exemsedge.exechrome.exepid Process 948 chrome.exe 948 chrome.exe 756 chrome.exe 756 chrome.exe 3584 chrome.exe 3584 chrome.exe 4472 chrome.exe 4472 chrome.exe 2544 chrome.exe 2544 chrome.exe 4444 chrome.exe 4444 chrome.exe 5044 chrome.exe 5044 chrome.exe 3180 chrome.exe 3180 chrome.exe 3496 chrome.exe 3496 chrome.exe 4884 chrome.exe 4884 chrome.exe 1352 chrome.exe 1352 chrome.exe 2752 chrome.exe 2752 chrome.exe 4760 chrome.exe 4760 chrome.exe 3184 chrome.exe 3184 chrome.exe 4928 chrome.exe 4928 chrome.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 4760 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 2736 Mercurial.exe 176 chrome.exe 176 chrome.exe 2268 chrome.exe 2268 chrome.exe 2200 chrome.exe 2200 chrome.exe 4676 chrome.exe 4676 chrome.exe 2520 chrome.exe 2520 chrome.exe 2860 msedge.exe 2860 msedge.exe 3908 msedge.exe 3908 msedge.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe 2548 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
WinRAR.exeMercurial.exepid Process 1068 WinRAR.exe 2980 Mercurial.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs
Processes:
chrome.exechrome.exechrome.exemsedge.exechrome.exepid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 3908 msedge.exe 2268 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Mercurial.exeMercurial.exeoutput.exeoutput.exeAUDIODG.EXEMercurial.exePulaExe.exePulaExe.exeMercurial.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePlaece.exePulaExe.exePulaExe.exePulaExe.exePulaExe.exeoutput.exedescription pid Process Token: SeDebugPrivilege 4760 Mercurial.exe Token: SeDebugPrivilege 2736 Mercurial.exe Token: SeDebugPrivilege 1276 output.exe Token: SeDebugPrivilege 1884 output.exe Token: 33 4612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4612 AUDIODG.EXE Token: SeDebugPrivilege 1408 Mercurial.exe Token: SeDebugPrivilege 4864 PulaExe.exe Token: SeDebugPrivilege 3784 PulaExe.exe Token: SeDebugPrivilege 2980 Mercurial.exe Token: SeDebugPrivilege 1888 Plaece.exe Token: SeDebugPrivilege 708 Plaece.exe Token: SeDebugPrivilege 1760 Plaece.exe Token: SeDebugPrivilege 4808 Plaece.exe Token: SeDebugPrivilege 3488 Plaece.exe Token: SeDebugPrivilege 696 Plaece.exe Token: SeDebugPrivilege 3988 Plaece.exe Token: SeDebugPrivilege 4676 Plaece.exe Token: SeDebugPrivilege 1156 Plaece.exe Token: SeDebugPrivilege 5184 Plaece.exe Token: SeDebugPrivilege 5440 PulaExe.exe Token: SeDebugPrivilege 5508 PulaExe.exe Token: SeDebugPrivilege 5612 PulaExe.exe Token: SeDebugPrivilege 5764 PulaExe.exe Token: SeDebugPrivilege 6056 output.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exechrome.exepid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exechrome.exechrome.exepid Process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe 2268 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exehelppane.exeMercurial.exepid Process 3512 winrar-x64-611.exe 3512 winrar-x64-611.exe 3512 winrar-x64-611.exe 3520 uninstall.exe 4752 WinRAR.exe 4752 WinRAR.exe 3956 helppane.exe 3956 helppane.exe 2980 Mercurial.exe 2980 Mercurial.exe 2980 Mercurial.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 756 wrote to memory of 4376 756 chrome.exe 84 PID 756 wrote to memory of 4376 756 chrome.exe 84 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 2812 756 chrome.exe 88 PID 756 wrote to memory of 948 756 chrome.exe 89 PID 756 wrote to memory of 948 756 chrome.exe 89 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90 PID 756 wrote to memory of 1544 756 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/NightfallGT/Mercurial-Grabber/releases/download/v1.0/Mercurial.Grabber.v1.03.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f702⤵PID:4376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:22⤵PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:82⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:12⤵PID:3540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵PID:3992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:82⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:82⤵
- Drops file in Program Files directory
PID:416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:3268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:82⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:82⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:82⤵PID:3160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:82⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:82⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1564 /prefetch:12⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:2764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:12⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:82⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:82⤵PID:3672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:1608
-
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3512 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3520
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:82⤵PID:1352
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4884 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f702⤵PID:4708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:82⤵PID:1836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:12⤵PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:12⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:22⤵PID:1296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵PID:956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵PID:2560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:82⤵PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:1036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:2288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3504 /prefetch:82⤵PID:2692
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"2⤵
- Executes dropped EXE
PID:3028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
PID:1068 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rar$DIa1068.26740\readme.txt3⤵PID:4684
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3284
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"1⤵
- Executes dropped EXE
PID:2368
-
C:\Users\Admin\Desktop\Mercurial.exe"C:\Users\Admin\Desktop\Mercurial.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 11282⤵
- Program crash
PID:1296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 20922⤵
- Program crash
PID:1048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4760 -ip 47601⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 47601⤵PID:4584
-
C:\Users\Admin\Desktop\Mercurial.exe"C:\Users\Admin\Desktop\Mercurial.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i3qgymj\1i3qgymj.cmdline"2⤵PID:3344
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2802.tmp" "c:\Users\Admin\Desktop\CSCAA1BCC95BAA94BC8A9E1610E35F5641.TMP"3⤵PID:2272
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2268 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f702⤵PID:2820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:22⤵PID:32
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:82⤵PID:4012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:12⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:12⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:12⤵PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:12⤵PID:2952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:82⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:82⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:82⤵PID:1172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:12⤵PID:4912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3212
-
C:\Users\Admin\Desktop\output.exe"C:\Users\Admin\Desktop\output.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288842⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa005f46f8,0x7ffa005f4708,0x7ffa005f47183⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:83⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:13⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:13⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 /prefetch:83⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:13⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:13⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5584 /prefetch:83⤵PID:3820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:4976
-
-
-
C:\Users\Admin\Desktop\output.exe"C:\Users\Admin\Desktop\output.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1692
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Users\Admin\Desktop\Mercurial.exe"C:\Users\Admin\Desktop\Mercurial.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vnfttoy\2vnfttoy.cmdline"2⤵PID:2104
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32A.tmp" "c:\Users\Admin\Desktop\CSCDE0D2A28D9894E77A0BFF28B3C52199.TMP"3⤵PID:3648
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3380 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f702⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:22⤵PID:1068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2176 /prefetch:82⤵PID:3912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:82⤵PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:12⤵PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:12⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:12⤵PID:3428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:82⤵PID:924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:82⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:82⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:12⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:82⤵PID:1040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:82⤵PID:3996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:82⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:82⤵PID:3832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:82⤵PID:2212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:82⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:12⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5048 /prefetch:22⤵PID:3696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:82⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:82⤵PID:1976
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4504
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Users\Admin\Desktop\Mercurial.exe"C:\Users\Admin\Desktop\Mercurial.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\if42ityh\if42ityh.cmdline"2⤵PID:548
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19F.tmp" "c:\Users\Admin\Desktop\CSC447E69A06D2D44C0AC1AAFEB8A7EFB8F.TMP"3⤵PID:5088
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3028
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:5032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f702⤵PID:3044
-
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:708
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4808 -s 20402⤵
- Program crash
PID:5408
-
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3488 -s 19602⤵
- Program crash
PID:5384
-
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 696 -s 20122⤵
- Program crash
PID:5796
-
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Users\Admin\Desktop\Plaece.exe"C:\Users\Admin\Desktop\Plaece.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5184 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5184 -s 20802⤵
- Program crash
PID:3208
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4808 -ip 48081⤵PID:5340
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 3488 -ip 34881⤵PID:5348
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5440
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5508 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5508 -s 21482⤵
- Program crash
PID:5548
-
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5612 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5612 -s 21442⤵
- Program crash
PID:2120
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 696 -ip 6961⤵PID:5736
-
C:\Users\Admin\Desktop\PulaExe.exe"C:\Users\Admin\Desktop\PulaExe.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5764 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5764 -s 21442⤵
- Program crash
PID:5408
-
-
C:\Users\Admin\Desktop\output.exe"C:\Users\Admin\Desktop\output.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 5764 -ip 57641⤵PID:5472
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 5508 -ip 55081⤵PID:5412
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 5184 -ip 51841⤵PID:5536
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 5612 -ip 56121⤵PID:4148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
Filesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
Filesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
Filesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
Filesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
Filesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
Filesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
Filesize
40B
MD5a3a937930c5b01ecd542f094135aa0a4
SHA179234b7656f2a562129f98b27bc0762dc867d7fa
SHA256985145fe40ae859f59ca7f31f100fe1a194f21810f50f5fd26c4c73c25b03ff9
SHA5127fa94881f580973ffe4c6b67b811d47e7c104681b1fb8b36c6754ca0d29e731e89c252a9ea62e1888edf2eb3ffc8aa9f6462ed78f61c9683ddbe0d3f50f7ca41
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json
Filesize10KB
MD590f880064a42b29ccff51fe5425bf1a3
SHA16a3cae3996e9fff653a1ddf731ced32b2be2acbf
SHA256965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268
SHA512d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.json
Filesize7KB
MD50834821960cb5c6e9d477aef649cb2e4
SHA17d25f027d7cee9e94e9cbdee1f9220c8d20a1588
SHA25652a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69
SHA5129aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4
-
Filesize
24KB
MD5edcc1881af866a0367752f95a25d9103
SHA14a821b1d12d053dc23462cd6cff3ce011e385d3a
SHA256ee009473817a83864eaae2f8b6c5872435c36e2ff7029e3edc236f0191c9f595
SHA512f0fba151d7adc4f9944bc5aec59b6059017dda1768c9233e339e94ded4a539901d88d66be435f5388c0fdcbe7ffb4d642f852e35010f7f163caff5973b5d7648
-
Filesize
116KB
MD5ea51abc53261e3244e585807cee1d835
SHA18389de61bebe40d0d60ef0a40d9161b5b8205c05
SHA2563f414501ef1b8de6843e030ef9efc00eeb61c476f3e889c7a7b2080ea764faa1
SHA5125335b12344389ca115f153b23122eb8cb7bbc0292b0d906029dc897ba57fe9ab45bcacd9bde5b8b3441724faabf6f9154c2574f5b4242dc65c2be723a440f06f
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
6KB
MD5a431cb2d117497697a74d9fd0842c8e3
SHA1cadba0b26dcf07a78674ac6b9cf90993d07bd8a1
SHA256bdd17cb63fafbbce26a059ecae3fa03edeb6a9a8d6963cbf6d161ca147fee148
SHA5127e9b99dfba8ea43697da9056c3e410dbb57889f836841d70db194f3c18b2417ca73f0205306939939e540a1e962fcdf16548c3a13836da1236b3a11ff81c86bc
-
Filesize
17KB
MD53b761451c18c4cbd57eec4b34f8b4c2a
SHA1666b14dbc159673fff26c07b9c2b5e243a22da24
SHA25615caba3645aee3169941c9301156bb6a636cf720700f8973fba6c0cfcdcc47b0
SHA5124d7e94c21ccb0b86384b37c6caf6b20cf05a43c63160d3a975c4ce5ab297e8d3b51260f0f64b745acb418a1ecf7e8dfcf99f140c86087a1feb76c21def5bfa20
-
Filesize
12KB
MD5b7d137ab02f6f4fbfc3eb1c1bdcee491
SHA1837c804157c665cd68dd014b7c03332dd3e1d65e
SHA2565907069ceb4f9e043dde39db1dbb298f75e8523015f43e74c86d796ec702afb3
SHA512638829e1b44606602912419f41950098eca53ec7948736f1866d95aa317e911135bf55552a07b9f86cd2fc4fd80a2941107b961dab7955f18142b0aca1f9032a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
Filesize172B
MD5dc28d409c98e490dce22c4195afc0889
SHA12f03f790f8d723b9902040f08768de9a28c7c516
SHA256d16350d1378b30efd5d1a2b58f72ec429bb5538587ce193a4eb00786df724af5
SHA512f7676eca8826cbdbd0b22726108f85b370ea7d614273c9fe523d6bc3264e37f4cbd5718c494608ce4ddfa12a93df914ae31943b197e6d45ee8d2b248b874aa90
-
Filesize
345B
MD5d8571b0fb78f46541e0e87923b939034
SHA16b169326e3e51beaec365f77b2b15fac918f1e9c
SHA256644d35bd901bee19586f8d67ea84faa02a128071443df08512a57f292eaa9e51
SHA5126b41814ce595918c9597891f748f8bd346d205603343149ee7a7669a67845f9d25d1dd8c3b23f2e9e8ddb740ea42323ced6889866e89b95dc2ee08a3c55bc053
-
Filesize
160B
MD5de92ad90be6d3364745b2f73f4c3cf73
SHA19158681463bd30e5af4dda4baac81f93cedbda77
SHA2560025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0
SHA5129e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79
-
Filesize
324B
MD54fce37edd40b4a01b8fcba5e5d68c91d
SHA141052e4167ec024050db5a54f97c727bf7cdedac
SHA256f6b07a518536a0989226cbc069597bbf5d5b264a2c0bc67024db3db66393d0b1
SHA5126cf7990595ba8b502a9b92b2188f4c1c39c2deb8b35b99bb6c9fb710eb9bb9126de7cedede6d2c27ba0e9bee57850fbd66519f31b70da2d3796a5a0e9d7fd4f1
-
Filesize
128KB
MD50820feb6c3ddcf85fe2410d66308f4f0
SHA12f1a34a5c8d56a7ce025bbc990541ff6c145833b
SHA256c2252408e0c786dcb30e2b82d6605079caf85433164618b7933a246884afac8d
SHA5120dd804abf32a3b074d5c019f560ac6f95021c53e30cb6b8ac7a3df6c059407ff3f1115aa0da24ac78f79adfe4d7087fe75908934249bbfcc252d1b4dfb0b0612
-
Filesize
88KB
MD595b45a4b38dbd8599748ae565d4fc4d5
SHA19acbc0ef36e04e46a235c8035624d9f64724950a
SHA256b483cd8fe0b5fb247d621a73a9ff639b06095911905cb42eaacbf4ee404939ca
SHA51288d71067721134a4c95f8283f381a3ed07b30ee3defc88aed3d77513e17c894f86819c8a6b272a59b2e77c42ea4c273b3d033a900f98389350e93efcc81e45e2
-
Filesize
13B
MD5b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
Filesize
182KB
MD53dc3a909b58ff44e2adca2587354227e
SHA1d1675b30734bc36aabc976b879cc6f3714adf55b
SHA2563313dc9c9770d38cf5d914a94b4fb6fd3c3103e2efc2ce043f6dd145a78f81ee
SHA512484b7e5d263d4b4a91a09b098905b3a7a77df38bc8d10ac0e93d6c836ce94b1979e3f3a642c4d1749c203e15da9f6d83244dd0d1ae3262e5dba28bc195b0d5f8
-
Filesize
264KB
MD5e2dda5deb17addf9d33810739366e412
SHA14b04218391fa701b4fdc3e3f159024aef420010c
SHA25681da940dca4f5ac1aeec5ffd114c8f562e8919db074a808388715163800cb18e
SHA512cf9078d13ec590ffaf842f8bdf000659d15a79255bfb86fdf1db6ddf58752a69f7efca4718f125a981c75fff48b75809f1fa8d8d8312405709f43675d6388aed
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
Filesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e