Analysis
-
max time kernel
183s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-03-2024 18:11
General
-
Target
https://github.com/Joe36311/Mercurial-Grabber/archive/refs/heads/main.zip
Score
10/10
Malware Config
Extracted
Family
mercurialgrabber
C2
https://discord.com/api/webhooks/898068237718261761/KniB9I7FAGbgiwGV6ub2_uE7GuQWTm94T_kcHonylqs73StuEGI3OqzKwT56iONTU2oh
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 30 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 30 IoCs
-
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 29 IoCs
-
Maps connected drives based on registry 3 TTPs 60 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Joe36311/Mercurial-Grabber/archive/refs/heads/main.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb191b46f8,0x7ffb191b4708,0x7ffb191b47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8548120571898649651,4831235705299730108,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3956 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\README.md2⤵
-
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"C:\Users\Admin\Downloads\Mercurial-Grabber-main\Mercurial-Grabber-main\Mercurial-Grabber-master\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
255B
MD5d11edf9e08a127c768843acea41d0bc5
SHA1ff1af9b39de4a3f547407fd9864ffdd2bb6c7354
SHA256217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478
SHA51292c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3
-
Filesize
6KB
MD507570698b3bb339638a581c95cd04803
SHA1adead80462c6bb7bd81d301168f0d402e6c1f1d4
SHA25600979d5f547931efb8812681e9c2740672f2f60ea1f47304f8d31b2ad813f87d
SHA51249b203efaf24873f706c78e50acbedce78b50a05c89a9a574883260f7bf9757ac3116e19f470184370090b4fd337b12a1538ac721edf497963ed98bf4ff067c5
-
Filesize
6KB
MD5b83e4e5991c693454645eabef257c426
SHA1cb25b7b3569df06cd203403e28546f806e08b5d0
SHA256fc63afa941fd119a5b3c7f166bd12af9baeb50fdafd6f7c350be503432919b31
SHA51289526dce2d2559aba695641d448de398918407996b6aabfb49719e46d7a29d0435637deee5c718e09631ccc1c3888f9a9b6d20f694bab6e81042b8ed28053fcc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cca7325a07f1f19536bfafc85e01a5c3
SHA14ff70c82d2ce3d564e7ba8f375b9489495095609
SHA256c3526ff6896831e4a93861ccfcefeba92df61e00fd52aa2cb96fad9ef7d99c77
SHA51218a1095adcae2ef074a8ca0d1a0bf64389b252f2e4e57afeaf3abae6b8097644edf4da5eb7375d131bc79bb715dd5ffc156fdc8301f33891f3ce8e97a23f719e
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
95KB
MD58a85007f5f347bf5a8123d260b5fe9f9
SHA17fbeb223f8ceb4bdb90bf69a7b5f0729b8701473
SHA256d6df16cac48f11eb24a4f21ff4055951bc791de17ed55b36245dee5fa4eb0927
SHA512c99b97efea9f7f51c20657297db122aee913f91de4f35c81c1f2db2a8fefefeb7473b141fc0264e6f854a499ea81380035f71ecb53b68afeec15a7b5df0a4a17
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB