mercurialgrabber | d0e639e77b38431766278ad13dc34be9c510f1f5bdedc1fc8c0233b83b4da511

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

Executes dropped EXE 6 IoCs

pid	Process
4688	Mercurial.exe
3460	output.exe
4900	Discord.AIO.exe
4112	Confuser.CLI.exe
2728	Tst.exe
4572	Tst.exe

Loads dropped DLL 56 IoCs

pid	Process
4900	Discord.AIO.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4688-1135-0x0000000005D60000-0x0000000005D74000-memory.dmp	agile_net
behavioral2/memory/4688-1136-0x0000000005D70000-0x0000000005DDE000-memory.dmp	agile_net
behavioral2/memory/4688-1134-0x0000000005D50000-0x0000000005D60000-memory.dmp	agile_net
behavioral2/memory/4688-1138-0x0000000005E30000-0x0000000005E66000-memory.dmp	agile_net
behavioral2/memory/4688-1137-0x0000000005DF0000-0x0000000005E0E000-memory.dmp	agile_net
behavioral2/memory/4688-1140-0x0000000005E90000-0x0000000005E9E000-memory.dmp	agile_net
behavioral2/memory/4688-1139-0x0000000005E70000-0x0000000005E7E000-memory.dmp	agile_net
behavioral2/memory/4688-1133-0x0000000005C10000-0x0000000005C30000-memory.dmp	agile_net
behavioral2/memory/4688-1132-0x0000000005BF0000-0x0000000005C10000-memory.dmp	agile_net
behavioral2/memory/4688-1141-0x00000000067A0000-0x00000000068EA000-memory.dmp	agile_net
behavioral2/memory/4688-1131-0x0000000005BD0000-0x0000000005BEC000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2088-4548-0x00007FFEDC4E0000-0x00007FFEDC94E000-memory.dmp	upx
behavioral2/memory/2088-4549-0x00007FFEF1CF0000-0x00007FFEF1D14000-memory.dmp	upx
behavioral2/memory/2088-4550-0x00007FFEFA6A0000-0x00007FFEFA6AF000-memory.dmp	upx
behavioral2/memory/2088-4554-0x00007FFEE7210000-0x00007FFEE723E000-memory.dmp	upx
behavioral2/memory/2088-4553-0x00007FFEF1460000-0x00007FFEF1479000-memory.dmp	upx
behavioral2/memory/2088-4612-0x00007FFEDC4E0000-0x00007FFEDC94E000-memory.dmp	upx
behavioral2/memory/2088-4614-0x00007FFEFA6A0000-0x00007FFEFA6AF000-memory.dmp	upx
behavioral2/memory/2088-4613-0x00007FFEF1CF0000-0x00007FFEF1D14000-memory.dmp	upx
behavioral2/memory/2088-4615-0x00007FFEF1460000-0x00007FFEF1479000-memory.dmp	upx
behavioral2/memory/2088-4616-0x00007FFEED890000-0x00007FFEED8BD000-memory.dmp	upx
behavioral2/memory/2088-4617-0x00007FFEE8390000-0x00007FFEE83A9000-memory.dmp	upx
behavioral2/memory/2088-4620-0x00007FFEE07E0000-0x00007FFEE089C000-memory.dmp	upx
behavioral2/memory/2088-4619-0x00007FFEE7210000-0x00007FFEE723E000-memory.dmp	upx
behavioral2/memory/2088-4622-0x00007FFEF5A30000-0x00007FFEF5A3A000-memory.dmp	upx
behavioral2/memory/2088-4623-0x00007FFEE7020000-0x00007FFEE703C000-memory.dmp	upx
behavioral2/memory/2088-4621-0x00007FFEE7080000-0x00007FFEE70AB000-memory.dmp	upx
behavioral2/memory/2088-4624-0x00007FFEF20F0000-0x00007FFEF211E000-memory.dmp	upx
behavioral2/memory/2088-4618-0x00007FFEF80C0000-0x00007FFEF80CD000-memory.dmp	upx
behavioral2/memory/2088-4625-0x00007FFEDDD50000-0x00007FFEDE0C5000-memory.dmp	upx
behavioral2/memory/2088-4626-0x00007FFEE0A20000-0x00007FFEE0AD8000-memory.dmp	upx
behavioral2/memory/2088-4627-0x00007FFEE83E0000-0x00007FFEE83F4000-memory.dmp	upx
behavioral2/memory/2088-4628-0x00007FFEF29D0000-0x00007FFEF29DD000-memory.dmp	upx
behavioral2/memory/2088-4629-0x00007FFEF2890000-0x00007FFEF289B000-memory.dmp	upx
behavioral2/memory/2088-4630-0x00007FFEE83B0000-0x00007FFEE83D5000-memory.dmp	upx
behavioral2/memory/2088-4631-0x00007FFEE0900000-0x00007FFEE0A18000-memory.dmp	upx
behavioral2/memory/2088-4632-0x00007FFEE5EC0000-0x00007FFEE5EDF000-memory.dmp	upx
behavioral2/memory/2088-4633-0x00007FFEDDBD0000-0x00007FFEDDD41000-memory.dmp	upx
behavioral2/memory/2088-4634-0x00007FFEF20E0000-0x00007FFEF20EB000-memory.dmp	upx
behavioral2/memory/2088-4635-0x00007FFEF1D70000-0x00007FFEF1D7B000-memory.dmp	upx
behavioral2/memory/2088-4636-0x00007FFEF1CE0000-0x00007FFEF1CEC000-memory.dmp	upx
behavioral2/memory/2088-4637-0x00007FFEED880000-0x00007FFEED88B000-memory.dmp	upx
behavioral2/memory/2088-4638-0x00007FFEED800000-0x00007FFEED80C000-memory.dmp	upx
behavioral2/memory/2088-4639-0x00007FFEEC860000-0x00007FFEEC86B000-memory.dmp	upx
behavioral2/memory/2088-4641-0x00007FFEE5EB0000-0x00007FFEE5EBD000-memory.dmp	upx
behavioral2/memory/2088-4642-0x00007FFEE5EA0000-0x00007FFEE5EAE000-memory.dmp	upx
behavioral2/memory/2088-4640-0x00007FFEE7200000-0x00007FFEE720C000-memory.dmp	upx
behavioral2/memory/2088-4643-0x00007FFEE1380000-0x00007FFEE138C000-memory.dmp	upx
behavioral2/memory/2088-4644-0x00007FFEE1370000-0x00007FFEE137C000-memory.dmp	upx
behavioral2/memory/2088-4645-0x00007FFEE1360000-0x00007FFEE136B000-memory.dmp	upx
behavioral2/memory/2088-4646-0x00007FFEE1350000-0x00007FFEE135B000-memory.dmp	upx
behavioral2/memory/2088-4648-0x00007FFEE1330000-0x00007FFEE133C000-memory.dmp	upx
behavioral2/memory/2088-4647-0x00007FFEE1340000-0x00007FFEE134C000-memory.dmp	upx
behavioral2/memory/2088-4649-0x00007FFEE1320000-0x00007FFEE132D000-memory.dmp	upx
behavioral2/memory/2088-4650-0x00007FFEE1240000-0x00007FFEE1252000-memory.dmp	upx
behavioral2/memory/2088-4651-0x00007FFEE1310000-0x00007FFEE131C000-memory.dmp	upx
behavioral2/memory/2088-4652-0x00007FFEE08E0000-0x00007FFEE08F5000-memory.dmp	upx
behavioral2/memory/2088-4653-0x00007FFEE08D0000-0x00007FFEE08E0000-memory.dmp	upx
behavioral2/memory/2088-4655-0x00007FFEE07C0000-0x00007FFEE07DB000-memory.dmp	upx
behavioral2/memory/2088-4656-0x00007FFEDE3B0000-0x00007FFEDE3C3000-memory.dmp	upx
behavioral2/memory/2088-4654-0x00007FFEE08B0000-0x00007FFEE08C4000-memory.dmp	upx
behavioral2/memory/2088-4657-0x00007FFEDE390000-0x00007FFEDE3A5000-memory.dmp	upx
behavioral2/memory/2088-4658-0x00007FFEDDB90000-0x00007FFEDDBCF000-memory.dmp	upx
behavioral2/memory/2088-4659-0x00007FFEE08A0000-0x00007FFEE08AE000-memory.dmp	upx
behavioral2/memory/2088-4660-0x00007FFEDE370000-0x00007FFEDE386000-memory.dmp	upx
behavioral2/memory/2088-4661-0x00007FFEDDB60000-0x00007FFEDDB89000-memory.dmp	upx
behavioral2/memory/2088-4662-0x00007FFEDCB20000-0x00007FFEDCD72000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
49	discord.com
146	discord.com
154	discord.com
385	discord.com
658	discord.com
36	discord.com
47	discord.com
48	discord.com
155	discord.com
269	dropbox.com
279	dropbox.com
600	camo.githubusercontent.com
652	discord.com
147	discord.com
275	dropbox.com
600	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
652	checkip.dyndns.org
672	api.ipify.org
677	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553194411643988"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Discord.AIO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Discord.AIO.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{DAB40FA2-53AC-450B-AA3C-44494993E344}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Discord.AIO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Discord.AIO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 56003100000000005558a569100057696e646f777300400009000400efbec5522d6073582a572e000000a6050000000001000000000000000000000000000000a66f0c01570069006e0064006f0077007300000016000000	Discord.AIO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Discord.AIO.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "5"	Discord.AIO.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Discord.AIO.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Release.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\vespygrabber-main.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1016	chrome.exe
1016	chrome.exe
3912	chrome.exe
3912	chrome.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
4688	Mercurial.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe
2088	VespyGrabber.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4408	7zFM.exe
4008	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeCreatePagefilePrivilege	1016	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
4408	7zFM.exe
4408	7zFM.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1208	chrome.exe
2824	chrome.exe
2860	MiniSearchHost.exe
4900	Discord.AIO.exe
4900	Discord.AIO.exe
3800	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2392	1016	chrome.exe	80
PID 1016 wrote to memory of 2392	1016	chrome.exe	80
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4212	1016	chrome.exe	82
PID 1016 wrote to memory of 4196	1016	chrome.exe	83
PID 1016 wrote to memory of 4196	1016	chrome.exe	83
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84
PID 1016 wrote to memory of 4596	1016	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\standard (1).gif
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef1f09758,0x7ffef1f09768,0x7ffef1f09778
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=992 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=888 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2288 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4892 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3256 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2244 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5388 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5240 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2016 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5012 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6220 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5580 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3756 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5580 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6916 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3756 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7068 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6880 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6904 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6620 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7004 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6060 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=1696 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6712 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=3244 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=5708 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6584 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=5920 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=3756 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6672 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=6436 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6824 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=7336 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=7492 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=7696 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=7856 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=8012 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7816 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6636 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6484 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=8372 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7440 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=5708 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:392
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Release.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 --field-trial-handle=1816,i,400923842931506594,7846839410953132805,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:896

C:\Users\Admin\Downloads\Mercurial.exe
"C:\Users\Admin\Downloads\Mercurial.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1bwxcx3\v1bwxcx3.cmdline"
  2⤵
  PID:1948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB803.tmp" "c:\Users\Admin\Downloads\CSC6526FE9A77A843BAB77172F75F3A51.TMP"
    3⤵
    PID:4220

C:\Users\Admin\Downloads\output.exe
"C:\Users\Admin\Downloads\output.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Users\Admin\Downloads\Discord.AIO.exe
"C:\Users\Admin\Downloads\Discord.AIO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzi15w2w\zzi15w2w.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA51.tmp" "c:\Users\Admin\Downloads\CSC650BC09BB94E4EB3B3FCCA2EED3F714D.TMP"
    3⤵
    PID:4304
- C:\Users\Admin\AppData\Local\Temp\Confuser\Confuser.CLI.exe
  C:\Users\Admin\AppData\Local\Temp\Confuser\Confuser.CLI.exe -n C:\Users\Admin\Downloads\Tst.exe
  2⤵
  - Executes dropped EXE
  PID:4112

C:\Users\Admin\Downloads\Tst.exe
"C:\Users\Admin\Downloads\Tst.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\Downloads\Tst.exe
"C:\Users\Admin\Downloads\Tst.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\Downloads\vespygrabber-main\vespygrabber-main\VespyGrabber.exe
"C:\Users\Admin\Downloads\vespygrabber-main\vespygrabber-main\VespyGrabber.exe"
1⤵
PID:1200
- C:\Users\Admin\Downloads\vespygrabber-main\vespygrabber-main\VespyGrabber.exe
  "C:\Users\Admin\Downloads\vespygrabber-main\vespygrabber-main\VespyGrabber.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:3744
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion