Analysis
-
max time kernel
92s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2023 14:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/c6UkjJAB#-L4-dyssm7RwtjDDdKQSJg
Resource
win10v2004-20230703-en
General
-
Target
https://mega.nz/folder/c6UkjJAB#-L4-dyssm7RwtjDDdKQSJg
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1130140376913678346/ja6erGbpE5ym8iaSV4jCUkb0UliCmOMOJ7FyBaQwxBVGN7xfKE_c0hqJiOoTumdedceA
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Fps Booster v1.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Fps Booster v1.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Fps Booster v1.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Fps Booster v1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Fps Booster v1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fps Booster v1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fps Booster v1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mercurial Grabber = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Fps Booster v1.exe\"" Fps Booster v1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Fps Booster v1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Fps Booster v1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Fps Booster v1.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Fps Booster v1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Fps Booster v1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Fps Booster v1.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Fps Booster v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fps Booster v1.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
chrome.exeFps Booster v1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Fps Booster v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Fps Booster v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Fps Booster v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Fps Booster v1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340770005898910" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exeFps Booster v1.exepid process 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 4204 Fps Booster v1.exe 4204 Fps Booster v1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 2544 chrome.exe 2544 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe Token: SeShutdownPrivilege 2544 chrome.exe Token: SeCreatePagefilePrivilege 2544 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exeFps Booster v1.exepid process 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 4204 Fps Booster v1.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe 2544 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2544 wrote to memory of 2552 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 2552 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 1780 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4168 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4168 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe PID 2544 wrote to memory of 4740 2544 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/c6UkjJAB#-L4-dyssm7RwtjDDdKQSJg1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca5779758,0x7ffca5779768,0x7ffca57797782⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:22⤵PID:1780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:4168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:4740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:12⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:12⤵PID:884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:3704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4900 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 --field-trial-handle=1900,i,18028004056446314646,2433848555588763257,131072 /prefetch:82⤵PID:3292
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4140
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4e41⤵PID:4136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4376
-
C:\Users\Admin\Downloads\FPS BOOSTER\FPS BOOSTER\Fps Booster v1.exe"C:\Users\Admin\Downloads\FPS BOOSTER\FPS BOOSTER\Fps Booster v1.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5b1dfa46eee24480e9211c9ef246bbb93
SHA180437c519fac962873a5768f958c1c350766da15
SHA256fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398
SHA51244aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6
-
Filesize
36KB
MD5f90ac636cd679507433ab8e543c25de5
SHA13a8fe361c68f13c01b09453b8b359722df659b84
SHA2565b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce
SHA5127641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967
-
Filesize
72B
MD54522cf9ec7b6c8dfca0655e2d5daecd5
SHA1af393d8f39b002471d289ff75b3c281303c227c9
SHA256853ed7e2c51f7271c4b358f1982e0f48b7e8d74dea1024010e5bf60699993578
SHA51203d0f5c0fda44c04af132d932d2e988db4f11761a7e2092a346ba30ab74e38406bbdd0e124378cb46edd191e620edcfd2418a27c66c584850289d313b81901d8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD52bbde52c4d4f7fff10fc4f48de9fd02a
SHA1443d2b772d4f75dd18b833918f340c4566621e01
SHA2560e1c22a220e93cf9242cb310f708f5db2ddd0549af02c8b5071f6c8f0a6b88d5
SHA5128e6614dd3cb9492c36230b17cde4eda9f51f620bdcb1e5718a2042bffec885434bae6260f1b13d021a54c8d57b14ae118ed77dee91cea3224dd47d980b44cfad
-
Filesize
371B
MD508e203660e9ebdb3f9ac13a0563e9c56
SHA11c9d8ace5a09c6d916e10a249ed992e5a294c102
SHA2568f132d78d40631c4b8bffe254dceb826a9dfdbd7dc50482b0c4f3cf2cd55163b
SHA5122d18f74ab02c188dde31147eab6ec529dbc709d52a6efd472786f421ace6276be72c37678402cdddc918c866b3ccc2e0ee67c3564ecec53c432afe5581b0ec29
-
Filesize
6KB
MD53c9aeced4b49cfd2ad3215452192fb07
SHA1a85edbdfbb43a11d42e3336a8b5cc8f0ed37f9a1
SHA2567552b9a5366e1b4c151a7c79a3db301712b208716e3ae06505dee389376425fe
SHA5127aff5bc53b81ee7df32381a20d19596ab74169ba784937677c5a199e36c577f50767ac01bf275ccc42bda34e33484a0b5bcda4966e2fba035379ed23b77754fd
-
Filesize
6KB
MD5e1ddf5bbc9015461b0de2bbf56866ea0
SHA1d3ca2cdb086c5e5b2148e596bb0e40ed36bc4013
SHA2565caf6bf30a5f703b9b7624950f53ced5149a2dd33851f7575ecb01b1475ef6aa
SHA5122eb59b2cde67ba941c962a703847a110a409ec8da620f7b2f1f96d9768083d1c899dea1683b99d394818e88f22ce45a4143b416db1bb5348db43c0fff68ba7c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d55b2df7c196f13544734add4a735b6b
SHA1d453acf1ff9e5f2bbba864079f3d1bdd64227017
SHA256a24be5dd19ab98929561b89eea706a7c6103d1877aa185d5228b131b523aea58
SHA512e4569148b4946c85fbe519f58184716671073d336b155c8db7e9d57bb1fd71bfbf04ac2070e8a6958ebd3de850810f500829b2992e051c0f6767f0522778f901
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587664.TMP
Filesize48B
MD5947838fc7e46e0e524194db557497596
SHA1dedeca665e17acc6023a1b0ff7d8eeef59e46480
SHA256237ee6daaa291a21cf5eb6f6dc837e7482a4023593b2469cc202f3d7ef2f4289
SHA5126b19dc55b287c87168eeacd7085ac914d18822d31d672cc79a37dd3fae804ca31eecb774cdcca1d4a70277097d62d578e0feb6b478b32ff9495e66c9298be161
-
Filesize
89KB
MD5251cc6cac3a19f2d31b0408fd4b8be6b
SHA1a2b0da4a2c4dcef72e6f1cd1a1c5b8b2d11a6c42
SHA256f9c3020a00f91150e1ac61931742afbaa665f3fe12496f973bae2da01473520d
SHA512318693e01e122f83d506bfbd87e47d2c018c70188f8a8dfa46069e8d3458ade4b09a99416d4523ad23c38d0542a8479f87dcdd75029fa27948c6ac3d13fa2992
-
Filesize
89KB
MD58a1fc157cbe747db64e0bb6cb13a9c30
SHA10b9afdcaa8690351a459fe27391eb64479d20440
SHA256a920ff804f5cc914465e497f355e1dae9d1a07216a5e22080e336d6f54b8d5b1
SHA5129d86be108950d4eb862a4a4f8c461209a300fbfa88cb7850083e22af2ae050ea9212179d89a335c08b6c1be0fbb57ffe25bfe25875293fb16f38053e50d5463e
-
Filesize
89KB
MD5e2e26696f35909d4b8f55cb9343ac8d8
SHA1711cdcbd4ec2e0f764d8922c98040b6f8d00adc5
SHA25636e27b4ca90fb452458f49e4510c536600ded2ccf4885f689a459a7cd57488b4
SHA51235a507ee397c4276da7edd81715ee6be3ee4f76d4a680052ca706203093513c9eed2136063a9f9b4fe1b35341112907159c1e1f82c81f638fc35a3acf22752f0
-
Filesize
108KB
MD5773c4a49e23e098e4710fb6f261b62ee
SHA1af09f8086ed559918daf1fbfeafa5af0318474ff
SHA25694a940885350637774f91bc879dc1f29a71a882dd148281eba0dfb4032b063e1
SHA5124ddef702f2a3a9b66a28c867c2b74c21b562c2c8479d3f32ae031852d3646ba396dd243d3f5176243cef909870058a39c354e3addee7e9d99b05ceab79b067c6
-
Filesize
110KB
MD53038ef6ef4d504e1f8bff609c730f4be
SHA1c2ca7dba820b6112ce1a1052a6328b7124a385b1
SHA256692a3bb74ee2dd75a6154a36ec4ad28b6eec02d160eea3be7ad804a0e149b1ac
SHA512716c4ce4ca93148e0d3d532255d125d56dd352cdee889c646e509909673f8db85dd2588a836614e1ea5daa85edf6b87c04b0a4ab8be79f932ff56de7d5882a41
-
Filesize
100KB
MD56ea8c8e1c302e59da12a97692acd8a76
SHA1c7493719343fb2ec77b362e534c653a1d72ada41
SHA25694f00916329a42d766585a392c4d81b8bee05a46fdae93d46b37098cb7cde2a5
SHA51212103b12c4b59ec9240713728c21da572bfb506cce8b2aba8a92423436bfd5aa2aa22dea7e05aa83eb56c6154a7cd40d8365c754070414673c39e12d1986557c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
46KB
MD55bc3a80b641e15b7bd8f726074ba05e3
SHA18f9b5f4b8e4cbcb4984b5c87bb0ba75069ba3840
SHA256c03456165a984c7ae592439aaaa76af06f7e8bc428f2ff79d75eb377d37fb9f0
SHA5125a0a90ae5a83b331783d7a4c0773bdb06d1f08e712377b1362b2e081bb6a76b43f673fe77c7cb4d820a6b928161c37cb975151ac2408c73d779f6c49c20a5c49
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e