stormkitty | hxxps://mega[.]nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28

General

Target

https://mega.nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\MercurialGrabber.exe	family_stormkitty
C:\Users\Admin\Downloads\MercurialGrabber.exe	family_stormkitty
behavioral2/memory/2008-135-0x00000000004C0000-0x0000000000640000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

Processes:

MercurialGrabber.exe

pid process

2008 MercurialGrabber.exe

pid	process
2008	MercurialGrabber.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MercurialGrabber.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	MercurialGrabber.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

105 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
105	checkip.dyndns.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4208 PING.EXE

pid	process
4208	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3096	chrome.exe
3096	chrome.exe
4496	chrome.exe
4496	chrome.exe
4388	chrome.exe
4388	chrome.exe
4768	chrome.exe
4768	chrome.exe
4516	chrome.exe
4516	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4496 chrome.exe
4496 chrome.exe
4496 chrome.exe
4496 chrome.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEMercurialGrabber.exe

description pid process

Token: 33 3956 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3956 AUDIODG.EXE
Token: SeDebugPrivilege 2008 MercurialGrabber.exe

description	pid	process
Token: 33	3956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3956	AUDIODG.EXE
Token: SeDebugPrivilege	2008	MercurialGrabber.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4496 wrote to memory of 4760	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 4760	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 2964	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 3096	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 3096	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1800	4496	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/enRwWBBJ#MHi98qSdxdmhWhxlAaGz2s3GOZmxHK1Wew4lzdgKU28
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86514f50,0x7ffe86514f60,0x7ffe86514f70
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14648516156780798745,3960870861785380861,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
2⤵
PID:1148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Users\Admin\Downloads\MercurialGrabber.exe
"C:\Users\Admin\Downloads\MercurialGrabber.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
PID:2392

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3468

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:3988

C:\Windows\system32\findstr.exe
findstr All
3⤵
PID:60

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
2⤵
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4672

C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
3⤵
PID:1936

C:\Windows\system32\findstr.exe
findstr Key
3⤵
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Downloads\MercurialGrabber.exe"
2⤵
PID:4068

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
fb1dcfd7bc5e814fdd77178081c0c5d2

SHA1
90bf8fdf8d3dcfdecfcc86bf16edd4615671cd97

SHA256
6251e3f3e1c5871ca4ecc8e455316c397e1af21beaa5c3b4fd8f2afe46c6bbf8

SHA512
82988b4cda8a2fbd24542b3be94f30df3d99b4d75e8cc4a2af2b7c0a0d1351d53badbbe6703a0472b302c2270bdfd5b9eebe608c6869aab4adba1fc5fe52a743

Download Submit
C:\Users\Admin\Downloads\MercurialGrabber.exe
Filesize
1.5MB

MD5
d37d9c9be442ccd0c5bfed73ffe498bb

SHA1
7eeb76954589ba1e6d06774eaf33c130d8bf9097

SHA256
c1c6e41bcd2493bab8c1907b2788b3d70daca87f48ffa29411ffde032330688f

SHA512
669ec75cae38cf212d84e654857dc1c89845307ae8ed097a57dc2e83729a37715e696c5f64a8e8f2e2bb6a3a99f0305a44b0f46f580ec966a4dfdf4ca586c7ba

Download Submit
C:\Users\Admin\Downloads\MercurialGrabber.exe
Filesize
1.5MB

MD5
d37d9c9be442ccd0c5bfed73ffe498bb

SHA1
7eeb76954589ba1e6d06774eaf33c130d8bf9097

SHA256
c1c6e41bcd2493bab8c1907b2788b3d70daca87f48ffa29411ffde032330688f

SHA512
669ec75cae38cf212d84e654857dc1c89845307ae8ed097a57dc2e83729a37715e696c5f64a8e8f2e2bb6a3a99f0305a44b0f46f580ec966a4dfdf4ca586c7ba

Download Submit
\??\pipe\crashpad_4496_UTNMBFOIJCXTCYAF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-142-0x0000000000000000-mapping.dmp

Download
memory/1936-145-0x0000000000000000-mapping.dmp

Download
memory/2008-136-0x00000000027A0000-0x00000000027BA000-memory.dmp

Filesize
104KB

Download
memory/2008-135-0x00000000004C0000-0x0000000000640000-memory.dmp

Filesize
1.5MB

Download
memory/2008-152-0x00007FFE82680000-0x00007FFE83141000-memory.dmp

Filesize
10.8MB

Download
memory/2008-149-0x00007FFE82680000-0x00007FFE83141000-memory.dmp

Filesize
10.8MB

Download
memory/2008-137-0x00007FFE82680000-0x00007FFE83141000-memory.dmp

Filesize
10.8MB

Download
memory/2008-148-0x000000001C310000-0x000000001C34C000-memory.dmp

Filesize
240KB

Download
memory/2008-147-0x000000001C180000-0x000000001C192000-memory.dmp

Filesize
72KB

Download
memory/2100-143-0x0000000000000000-mapping.dmp

Download
memory/2392-139-0x0000000000000000-mapping.dmp

Download
memory/3468-140-0x0000000000000000-mapping.dmp

Download
memory/3988-141-0x0000000000000000-mapping.dmp

Download
memory/4068-150-0x0000000000000000-mapping.dmp

Download
memory/4208-151-0x0000000000000000-mapping.dmp

Download
memory/4516-146-0x0000000000000000-mapping.dmp

Download
memory/4672-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads