Analysis Overview
SHA256
63ffc1d007e94fccd4086557660db2c554ce86ceece27b29bcded4ecf6cd5596
Threat Level: Known bad
The file Virus.exe was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Program crash
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-08 01:31
Signatures
Mercurialgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-08 01:31
Reported
2022-10-08 01:34
Platform
win7-20220812-en
Max time kernel
43s
Max time network
80s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Virus.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 768 wrote to memory of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\Virus.exe | C:\Windows\system32\WerFault.exe |
| PID 768 wrote to memory of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\Virus.exe | C:\Windows\system32\WerFault.exe |
| PID 768 wrote to memory of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\Virus.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Virus.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 768 -s 1908
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 96.16.53.134:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/768-54-0x00000000008B0000-0x00000000008C0000-memory.dmp
memory/1496-55-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-08 01:31
Reported
2022-10-08 01:34
Platform
win10v2004-20220901-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Virus.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Virus.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 20.42.65.84:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.229.204:443 | tcp |
Files
memory/2068-132-0x0000000000430000-0x0000000000440000-memory.dmp
memory/2068-133-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp
memory/2068-134-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp
C:\Users\Admin\Downloads\RegisterConvert.wmx
| MD5 | 00dd46654c0977b1627d7964702f4638 |
| SHA1 | 7ae1ddf309bbf91f85dcdcc9cd3d9d80ba5df6d6 |
| SHA256 | 3fa5f5d0b50807d955b0a491573414a3f2f45f9c2daed25eae0ffb9ca92b1841 |
| SHA512 | dba464b35a2bac14463fb3f7b394f9c72600eb086edcb650f60b7529830168ce03f1a0431796a2e0c54e8c40843b93c8475d2c1cfeee9a52018e83821215df8f |
C:\Users\Admin\Downloads\CompareClear.WTV
| MD5 | 6eb05ae94870420c4ba2a949a56fbfed |
| SHA1 | 0b1ab3c639a52c8656cffc6f50bd524655c7e500 |
| SHA256 | 09c078743b737e7b129d70e36f593922610d208f29199a800ae7f1e9645f0111 |
| SHA512 | 80e7d5aff88c9c22283df32841201a34e8fa677afb4ab71aabe5f45dff3c1cfdfe317f3bde93e9bafcb34ac97ece344eb67a391a10b7c3d345e1f431fda4df53 |
C:\Users\Admin\Downloads\ApproveRead.xml
| MD5 | 623645e2782693dde5363976089601cd |
| SHA1 | 43444f67a4e55e443a66fa7a1fca607929e4cb78 |
| SHA256 | 944d699c91ef1167cf2b671de32e253bdeb49d09951b6529be091ad006820559 |
| SHA512 | edf066460b02d49de21a69938903a3343126e29eaa3f53c47448ceb7de84b80e1f6dbe7c6a137b84cbc6cdacce5200da8ae81077d31ed253bd5695319f65e80e |
C:\Users\Admin\Downloads\CopyDismount.wma
| MD5 | bd07a6d3b11dc38c5e81792731629959 |
| SHA1 | 7907ee7c255a076640aafd97d9e9bb09121fd0ea |
| SHA256 | e3e4267986c21dba8b6f77c678a47042fb1dad6d539e9837deacd1ec83c8cbc2 |
| SHA512 | 55f25b7417e9c8fb4baca3911e65a9c111db7ce86e309cbcfb97242519d0ea35cac3083846c7d99198b58380f79eb4fb9d38f8e36c90f031ac98480f50344c1f |
C:\Users\Admin\Downloads\ExitOptimize.ADT
| MD5 | 8c17f9115d36865604e762e8ae69b231 |
| SHA1 | d8af7012ea310e1a9411de93f9772d39b5a64ed5 |
| SHA256 | 87708db0953268a199aef47f8602c8f36c5642db2c240573e18774113f5ff70f |
| SHA512 | f2052490b3bcf6c7a5061c0ae8c23d51a3fa6d4b4d1661b2c9463f7ba71f170d75a531f1947276f11fc4fc596109d981b84c94e2722eba1fda6e4e7f620f47dd |
C:\Users\Admin\Downloads\OptimizeRequest.eps
| MD5 | 5dfe125b26e0112f9847687b6291eba2 |
| SHA1 | 5a7502ee873af9c28b57fc12dfa15b3c704e5539 |
| SHA256 | fca09ad64e14e0ceaee76a8ec8b196987b821253381e45cb6ff69044293f4b11 |
| SHA512 | 47a2b6e0219066a38d8e93d861dd7ca48a460533ad0415f7e4a2919587b0aa231aa41ed2bddea4d3dc8444c395efb91520f66891de8a7ec3b92b7cb89bf3bc1b |
C:\Users\Admin\Downloads\ConvertFromSplit.docx
| MD5 | d45078bd443d11c0cf37b3221ade0a7b |
| SHA1 | 667dc1158eeccbdcf41f948d270408db749ba8e2 |
| SHA256 | 5d40f178290c6a669cb5a3481d18e315686e17a561f357eed4f7516ecd37cb08 |
| SHA512 | 19e256e23184e90bcf519ad19c9e903fd24df320a30a17438a40fc222b0be2eae759032d701ed3642c4d6e85d56ee840f0a8b1593a15f8bd40412583d770ce3c |
C:\Users\Admin\Downloads\FormatSkip.M2TS
| MD5 | b1b311a7f4fa9686d38aa6a147a810f0 |
| SHA1 | e8ab885daddd45b4a779dc0bdcf363dc4181b407 |
| SHA256 | 3fe0557268068ece07c3795217ed715e89e8160fc1b6437e8999a69efa1a01fa |
| SHA512 | e5c7f2a4afbbaa0ee3beccb6a1e5df6d5195101034c28d9d7acda54f0a9a007cf948ba4b2add8588f12135bc6d2fe8916da311063ba24285bc979e4e7709c4b8 |
C:\Users\Admin\Downloads\BlockRevoke.xlsm
| MD5 | bbaf4e75b76ac5415e8d68311dec5604 |
| SHA1 | 2f7ca974e9409bd78457c1ffd064504818301fd3 |
| SHA256 | 7a7d5824da31fbd93ccaf0d94ee566fee98bcd32309629cd8dabe49536bfcda1 |
| SHA512 | 1cfe5f81f8e183867de8a1ca575a4bf64c09062e7718164866cfbeb72b1a77fad84ad5ed8754bced92e3da7802909e1b93c2483de9e17a5e108b6e7dd9ba10d8 |
C:\Users\Admin\Downloads\BackupAdd.docx
| MD5 | d1ae7516d1bebfaeb11fb47fc18843a3 |
| SHA1 | b9883bae8a1c58db0810918e081142f34706ba25 |
| SHA256 | 606aaee024e5049ce53a859bc25aaa46457acb15a9b3bf423e105e0d16f43308 |
| SHA512 | 4c2f27a9c82428a6dc789d770ce760c03dcb29df884a0bf9f0ca1297174f27f7d8da6793d8506527531e714f0e11f5be96da6e21987b783504bc5a50fcef47a9 |
C:\Users\Admin\Downloads\GrantStep.avi
| MD5 | 9d7a511a620969ba2062f65c4c2b75f1 |
| SHA1 | 24b9d09ac1d3d0455fb94d3a2f4415771bb6a5e4 |
| SHA256 | 9bf8ac327e330dab44c0a2906887ec138fa7729614036944e5043f34a00dec5e |
| SHA512 | 5ee44f2a16c943924659f33278202488240efe0c04df5c2a5ae272df746a7c5deda319067f376c5ba27f048dd9ac63ab4263dca03a22c305a26de2b25b77bb9f |
C:\Users\Admin\Downloads\ConvertToFormat.ogg
| MD5 | 26140c698ba45e4ac30c16867e69f697 |
| SHA1 | 5380b10c52620b3015f9a25266281df9e8fcaf70 |
| SHA256 | ececa4d18c58ed33e6d59c8d81e244f6d961669aa73eeb902b5e15afc8ff653b |
| SHA512 | 20acfbb5436f8cb18caa81f93693021df845b0dd275540ba11b3cff3df72595957a79b8b1df3fad2a7c18ed4d408f224b835b4336d6bcce554706a2d7a56e388 |
C:\Users\Admin\Downloads\JoinUnlock.ods
| MD5 | 226350de4d2040c84f3db4c1136ccb07 |
| SHA1 | d9fdb4af2ff58c536859e98585c1d20d08a7b5cd |
| SHA256 | 7a17025d2ffa442c8721a41836b2c5e02d4fb6bc847151561876059ca287fe4b |
| SHA512 | bc189bd82126f4bde843f673e0c482a3bc13d32e6f10893605e5b42d724aa8558f67613abc1fc1961145450dd52b624ec7506c5b63ef27fe891c6129948d49b1 |
C:\Users\Admin\Downloads\ConvertToDismount.dotm
| MD5 | 9463caf6428b5956ca779f0326b3c360 |
| SHA1 | 69f55715f05a4d1f75d60c0529ae601c427507a9 |
| SHA256 | 9ae46ef2e60c116e31c633ea94f4f9e512083d0c00209abc48f47d7f9843b908 |
| SHA512 | 555118fcf06468c15fb12fcfa049ce4aa5a5068fe190121d25df6bcf7a689b4220c2434104919d676670f7c5ae29b3b3cdf864aaf0d23a9b3fdedc6fcc869dfa |
C:\Users\Admin\Downloads\DisconnectProtect.cab
| MD5 | f39d2d38fd04f0d27fcff70397d4c21b |
| SHA1 | f185943e34c66d72e2474ab9d163bba346fa380a |
| SHA256 | 64672ac47a73c038e13cc5657be297413ed859d5ebe2b8f88b0af8d81daba284 |
| SHA512 | ee4001d98cfaec198f93ff5a2b06a4a74097f2cf4bb9897bfababc5a3e5b334f08569e8a2a7335f40b659ee8cf79c81e7376446b54c348f39a748dd8727458b1 |
C:\Users\Admin\Downloads\ReceivePing.ADTS
| MD5 | a22ba011dca45a564863501b2b275b3f |
| SHA1 | dc746379c2071c15636b01b1b05933f624298cfc |
| SHA256 | bdbf98dc57c69fd99ab34e5547102edd0b5b084ef91822c529ef21b7a1d59f38 |
| SHA512 | 196eefaf3bbf2ef12ecfeb04a4e668cdc034cfc3e57d9bf5d8268bfa4c314a528dbc693c4de15b2486d6afc1826d8d7476e6cf0f79154509fcfd01f9c26f4f37 |
C:\Users\Admin\Downloads\UnblockBackup.emz
| MD5 | a3185bfab168f155a300245dbe3a1c5e |
| SHA1 | b610fd42c2957bd9713df42a85a92af6e3bdc3dc |
| SHA256 | a762cc2708e3ce462536feca4ccd986dc253bcadc934b1b97f92582f44a14d8b |
| SHA512 | ea076bcc323b26a86ead4539c02aecd0c2efd573c6041be181f2f4678861826acd78d05043fbbca841d0db732fb0cbed0c23b4a3737f1354c336557ed84d6bc4 |
C:\Users\Admin\Downloads\UseTest.pptx
| MD5 | 0cdeead8a746a4792f4194751fa2c3b6 |
| SHA1 | bd853df9ca74eb669a7bbdac755580e464b671fc |
| SHA256 | 537614b53e47f06a32c23db5d4e9c60edc4882072b5f0e6c117d15847e09d803 |
| SHA512 | beaa7c4f6649703eec7fd09cdf5b2faf60b1bbe4cdb03a54bcc51942dc75e08144ab2cfd3a7284a4c37ad3fbdbcdfbe33be901c8bb4e1e7fa933edb6bd7ce2dd |
C:\Users\Admin\Downloads\CompressFormat.emz
| MD5 | 3aa9f602c18bb0ac06ef90f824cd6183 |
| SHA1 | 3091aeb6129327c1eba4650299c910dcc49b5a51 |
| SHA256 | c54e11a3d1adcce183138747a91c4a513fa49657a86ce28b841d302b5e66c0db |
| SHA512 | e47d8706758c2f6bd54409668b09e7edc7bea1e24dd8b6fd3dacf0fe71cd6d809dc27faa017f6c65196d10651abf3d8bdc10390d289667fca1e442e45c45b070 |
C:\Users\Admin\Downloads\HideOut.mpa
| MD5 | 27e0cb6483886865588caceb8fa5277d |
| SHA1 | a856a8103fcc0e38f66d83d58d9957f64dfb02a5 |
| SHA256 | fdd55dbe6f11072af7d9281d474150d5670b7d9cbff5719a5a31a891f83f5218 |
| SHA512 | d67baec54ab65c5432a9def7484b6513d45392996b145631e8dda47a6743ceeead3708142bb50267951ddc9461d4c4c20ad0265440ab710949bc4b70da24f4e5 |
C:\Users\Admin\Downloads\ResumeEdit.7z
| MD5 | d555e2a63358ce04c07fad8529a467db |
| SHA1 | fa3786208712ff4f4a179b77790bc3de65540738 |
| SHA256 | 6196e68ce21531861a8aa18a921c3fb2b0abe572497b38436e8268924f052097 |
| SHA512 | 84adef6ccefa38b1ac8f28ffe19ce86a4cc21a4db708f650d8454aae909610f39c650fb302754d4fa040bc7137f9dc25aea932a4edc813fa9f7669722b81e1fa |
C:\Users\Admin\Downloads\CompleteCompress.tif
| MD5 | 661d929ff5051d602454db061cde19d7 |
| SHA1 | 14f9e569392a2e329cceeecb528831c8034aadae |
| SHA256 | d098c705d5a27c0e7285724135b1947fa2415b815ca0b2608314183d3289f104 |
| SHA512 | 4f66704add253a5b94bce5bc8a3796af2f2a1849870a13e9d87b766bbe54c06de6cac223b5ce88b6c9c0510b0aa5d53e8d4b9b2b0f791e2f2ae075d3b2b85479 |
C:\Users\Admin\Downloads\NewWatch.vb
| MD5 | 52f7f09f3370f192ace02e2a16dae273 |
| SHA1 | 314edc2a9d39051d3c99f72ea8e1253ecaf37a41 |
| SHA256 | 79bc3766041a2d8e7c03cb6daec7fbff0eb9e3183663955cfae2e7e8c6373b8e |
| SHA512 | cc85ac0697f12bcd94562030d1ac5760edfae70b4a161596cadb1d07b8a28fa4119ad51e5371b4b079197cd0a0b4dc53360d88b791f3b6e466f6ec5a1fcc6da0 |
C:\Users\Admin\Downloads\ReceiveCheckpoint.wm
| MD5 | d4f74624056aed314c36eb73ce9f7f77 |
| SHA1 | 8e6694b22dbe43784fd62820458710960424d262 |
| SHA256 | 431e5a6345b889dad9fa70f4e1d8df802ff27abb0317589b62e4b5ebefd779d8 |
| SHA512 | 55d9b8059e750ba45182d3f3bb64f5e4183c3458f0c45293be09c59bbb6ea95dbfaa6a23053a83517f72b3d13a657f20f74e1d5f5a0a2502a0226cba1b9964ef |
C:\Users\Admin\Downloads\JoinNew.vsd
| MD5 | ee7da1eeaa5313d15196dc6ec3244939 |
| SHA1 | 756eaecec0d4c3c98883fc3e46d77043d0c89c97 |
| SHA256 | b43571e7432ab776470ca09f3647dae86fab607fa483ac11329a4f0dde898338 |
| SHA512 | 503871d469161f6287c31fcbfdb8a4062efbfb5be42bf1b684c8fe79c590dcdd8a07d90107fa474b3b76c4098f51fdb8f3a673376bcc74fb3d4d2aaafba7cb9a |
C:\Users\Admin\Downloads\FindDebug.jpe
| MD5 | fcc8e7d38d9c4451c5d25d1d052a0ca2 |
| SHA1 | 69df55cd64a13f8d586de786e1f793f2471466a9 |
| SHA256 | c1c0b7c8e2a1a72e305fdefd2c3c86601194d70cd43a357de10b9ea424592149 |
| SHA512 | 546ef6f446803c29dd61b22af0c1e910c1287ed45c5095cd438a8ee4544301b0776ec0cfb94220589e379e0fdc6950b65fb95fd2efbcdb75e6bc5c352050ac75 |
C:\Users\Admin\Downloads\DenyImport.pcx
| MD5 | c9ba9796dc7512b53ab73ddce417fb20 |
| SHA1 | fae07389aec525647ee12642bf7b5c8a4bc488c1 |
| SHA256 | 42ac87bb545949d12d682e21abd0774fbd41a6a6a3fab3ec0ede37c312671bdc |
| SHA512 | f0ff45ce129387c2cfb56aeebded1303dbc962fbb9c6b8e31840414edced1d7d109b93d5644bc638f1a36808d243a597f651f5402ee9dcd6af606723e83e5ff8 |
C:\Users\Admin\Downloads\AssertStop.mpeg
| MD5 | 6cb04bef9257a429c91112e315b6de10 |
| SHA1 | 3b5bd2b2a148c5bdde58951335e6e3727c45bd24 |
| SHA256 | b2219f8c1f1148666a890bd0b0a2d19eeeff4839e6f01fca1afa234372d9fce4 |
| SHA512 | 04c7704a2b250b8b5daaf74243b1f027b052509d45ecef0bd3417d80264adc2f899e9a388737e34664436e8318ec80261a6353c394a1e7ad33dfdad8d51aad77 |
C:\Users\Admin\Downloads\ResetAssert.pptm
| MD5 | 1eabd2a446afa7ebb426d0e2b8dfb7a0 |
| SHA1 | ea0fed8c0f8e4baf8bf6f78bdbf9a0cdbff0ffa3 |
| SHA256 | 1aa9c106cdc94e8dbe90042fc2b5c07d38e11301d6508f4d8722a2b8f7e1970c |
| SHA512 | 41a1447cf659dd453538e3d131e4ffe64e590cf0cb1633663bf8372433771a30901f1c8963488a7beb113defa90f0872412c5e467c663c0fec2d2f813aafda48 |
C:\Users\Admin\Downloads\TraceRemove.mpeg
| MD5 | 5c28e4e0541844325733e0a634c61acc |
| SHA1 | 8e5e2362c83267bc77c9135670b822958cb4b907 |
| SHA256 | 9e7554eec357cb4f6d9c830bdb9117caf1e2ff27992832209b5c0b4e6853e0a1 |
| SHA512 | 671d48c6a93c1e6ef8bd916f71b57882083268685ed37e0f53d315def4771cf8f52931e8df157b3cb7a653e5106453fbb307d1f61b443fd8feb46857d4151fa1 |
C:\Users\Admin\Downloads\ConvertToDisconnect.wav
| MD5 | 1981dfdceb092c61df2861538c244cf4 |
| SHA1 | 976ed2f09f1f399cfa9414dc2583b5019827dcd9 |
| SHA256 | 00cf0a55e94bb13f6a272082ef30ada5e4ef41d16540ed70db6e953dc7062505 |
| SHA512 | b053078dd8c4855abd7bf99fec325bd1bfcb8d50937e6806c5194ed1b4c6c61cc1a7d88f1fac0f32385c74c6ab481974f569df9871cbaabc9ddeae99cc5eb406 |
C:\Users\Admin\Downloads\OptimizeUse.wdp
| MD5 | b36a63d3d2b304db2002fad5d45ac562 |
| SHA1 | 0616b6e7560f4d7a704daeee549ad555cdf726d3 |
| SHA256 | 195780ad10a4309cdfd27e93fb352194d3ed8dddfa607d77a2db5c716cb12b6d |
| SHA512 | 0ec2c25099dd5fc2eeecf1be3978b63356d4ca702850785da7b4379e76a7b19b73331f98793e0b3918257dfa5e922915e7d03e2d71cddbd9906d4df606388d7e |
C:\Users\Admin\Downloads\SaveInitialize.exe
| MD5 | ed5dc009c09f5d67a68421bd4327bea6 |
| SHA1 | 74d488da8deb65304d2118fd1cf2eea79706c840 |
| SHA256 | 13a648dffa704be8775e606802785cb829446614a646fc4357ab879da6205781 |
| SHA512 | c2964b1fa0b4969f68f7680a7c5df2cb83b7e3bc3beb20717cc5b8e6951c5bb688b2d392a717e3823c3679610978c0f3ddee6214e3a3934cdd754150881cdd94 |
C:\Users\Admin\Downloads\ConnectExpand.mpp
| MD5 | 4bebe23f3bbe5402d01709f8a4a7c283 |
| SHA1 | 340d2e232859756fd95819f20a14d436337cb190 |
| SHA256 | b745ab03f035bebd1acb9fb031c60d59cb3957ba828bbaf196c831c68b91321e |
| SHA512 | 84dce891309db535198cdbf7a05a09bbe98027e117f5b53d0e431078b05346ea9020761e22c03375871e03b9328842b638098bbf1d699a86098917fd3a8d1c61 |
C:\Users\Admin\Downloads\NewLock.png
| MD5 | 718248ed16b1d2cd3c5fd8d5f342f933 |
| SHA1 | c6ed733e39bd67c38db32d7b553f70a38606a9ea |
| SHA256 | cf0eac74155f870944b1ddcb2305184da0ed28dc7b5737a5c33b3f2cc8d371b0 |
| SHA512 | c0045678c8162e7fc2a49135db94b30c7e71f6f517184e7063c6f64a0ac47122a679e4ee1a79ed838ab653ee46c8c25f112ea14199038474b4e038bcec226d77 |
C:\Users\Admin\Downloads\AssertClear.vsx
| MD5 | 04aaea243a04c938f2fe88ceae0e0387 |
| SHA1 | c36e2223fb4b05cf258a7fd98433429a46a3d4d9 |
| SHA256 | 28cfc56c00974c3d94ddc81ce7418b0c8eea5e0e4f871892ed724e07ff9667c9 |
| SHA512 | 14e3de3c135793f1538370b752f857ec8aa0ac49d0862dc1523c0372fceb3d68744861aad6d268a7d67c572b79847c8ac9d2f295d89a5813eb1a6e0c437d7487 |