3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

Resubmissions

12/06/2024, 16:00

240612-tfqzrsvcnj 3

12/06/2024, 15:48

240612-s86p9avanp 10

Analysis

max time kernel
490s
max time network
358s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.exe
Size

3.2MB
MD5

a9477b3e21018b96fc5d2264d4016e65
SHA1

493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256

890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA512

66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
SSDEEP

98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1696-2-0x0000000000420000-0x000000000043C000-memory.dmp	agile_net
behavioral1/memory/1696-3-0x0000000000450000-0x0000000000470000-memory.dmp	agile_net
behavioral1/memory/1696-5-0x00000000004C0000-0x00000000004E0000-memory.dmp	agile_net
behavioral1/memory/1696-6-0x00000000004E0000-0x00000000004F0000-memory.dmp	agile_net
behavioral1/memory/1696-7-0x0000000000580000-0x0000000000594000-memory.dmp	agile_net
behavioral1/memory/1696-8-0x0000000000850000-0x00000000008BE000-memory.dmp	agile_net
behavioral1/memory/1696-9-0x0000000000590000-0x00000000005AE000-memory.dmp	agile_net
behavioral1/memory/1696-10-0x0000000000610000-0x0000000000646000-memory.dmp	agile_net
behavioral1/memory/1696-12-0x0000000000720000-0x000000000072E000-memory.dmp	agile_net
behavioral1/memory/1696-11-0x0000000000710000-0x000000000071E000-memory.dmp	agile_net
behavioral1/memory/1696-13-0x0000000004CE0000-0x0000000004E2A000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = a60500007605811914104c05200000000060000000000000000000000000000000000000000000000000000100005a0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f00000010000000530061006d0070006c00650020005000690063007400750072006500730000000d0000000c0000000001000000000000003100000031535053b1166d44ad8d7048a748402ea43d788c15000000640000000015000000d9f687e1d13c50b0000000002900000031535053f4767d7a30b6d74b95ff37cc51a975c90d00000002000000000100000000000000bc02000031535053a66a63283d95d211b5d600c04fd918d0110000001900000000130000007f018070390200002000000000111000002502000014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000007400310000000000cc58610d1100557365727300600008000400efbeee3a851acc58610d2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d00320031003800310033000000140078003100000000008c3e854311005075626c69630000620008000400efbeee3a851a8c3e85432a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016007e00310000000000ee3acd26110050696374757265730000660008000400efbeee3a851aee3acc262a000000840200000000010000000000000000003c000000000050006900630074007500720065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003200000018008c00310000000000ee3acd26110053414d504c457e310000740008000400efbeee3a142cee3a142c2a000000850200000000010000000000000000004a0000000000530061006d0070006c006500200050006900630074007500720065007300000040007300680065006c006c00330032002e0064006c006c002c002d00320031003800300035000000180000000000003100000018000000001f00000010000000530061006d0070006c0065002000500069006300740075007200650073000000250000000b000000001f0000000a0000004400690072006500630074006f00720079000000000000002d00000031535053901c6949177e1a10a91c08002b2ecda91100000003000000000300000000000000000000002c0100003153505340e83e1e2bbc6c4782372acd1a839b226500000008000000001f0000002900000043003a005c00550073006500720073005c005000750062006c00690063005c00500069006300740075007200650073005c00530061006d0070006c006500200050006900630074007500720065007300000000002500000003000000001f100000010000000700000066006f006c006400650072000000000011000000140000000003000000010000007500000011000000001f000000310000007b00310036003800350044003400410042002d0041003500310042002d0034004100460031002d0041003400450035002d004300450045003800370030003000320034003300310044007d002e004d006500720067006500200041006e00790000000000000000002900000031535053fcb3b4b9512b424ab5d8324146afcf250d0000000800000000010000000000000029000000315350533c0af1e4e6495d408288a23bd4eeaa6c0d000000640000000001000000000000002d00000031535053c0e85bcf6c23d34abacecd608a2748d71100000064000000000b000000ffff0000000000000000000000002a0000000000efbe9f33f8c112f3974cb1c6ecdf5910c5c08207ba827a5b6945b5d7ec83085f08cc7c050000	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4c00310000000000cc581b0f1000372d5a697000380008000400efbecc581b0fcc581b0f2a000000f702010000000200000000000000000000000000000037002d005a0069007000000014000000	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "96"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 8800310000000000cc585111110050524f4752417e310000700008000400efbeee3a851acc5851112a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewVersion = "0"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a0000000e0859ff2f94f6810ab9108002b27b3d9050000005800000030f125b7ef471a10a5f102608c9eebac0c00000050000000920444648b4cd1118b70080036b11a030900000060000000	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Mercurial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mercurial.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe
1696	Mercurial.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	Mercurial.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	Mercurial.exe
Token: 33	2444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2444	AUDIODG.EXE
Token: 33	2444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2444	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	Mercurial.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1696	Mercurial.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2160	1696	Mercurial.exe	32
PID 1696 wrote to memory of 2160	1696	Mercurial.exe	32
PID 1696 wrote to memory of 2160	1696	Mercurial.exe	32
PID 1696 wrote to memory of 2160	1696	Mercurial.exe	32
PID 2160 wrote to memory of 2892	2160	csc.exe	34
PID 2160 wrote to memory of 2892	2160	csc.exe	34
PID 2160 wrote to memory of 2892	2160	csc.exe	34
PID 2160 wrote to memory of 2892	2160	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0E43CED17A04947B3565AEF3E2CD5A0.TMP"
    3⤵
    PID:2892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1668

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB5C.tmp

Filesize
1KB

MD5
a3e8c3243629b54c4f6cc3c379d303e0

SHA1
884f73d09cf9def687bb5deab4aabfb9dae59147

SHA256
bceed792682a8a1481c12b8892c9d8917e5194cf002d6b0e69e69e07ef9c6ad7

SHA512
8b6c365aec60d30fcf0c0f5ca0ff2e78792968b63bc13d2749165328d4676e6e3fb05bc2812ba3c2ad5ddd119a8763551927ec27448dd7ebc1f5cf6d284d03fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC0E43CED17A04947B3565AEF3E2CD5A0.TMP

Filesize
1KB

MD5
59ae09c4cf689532f57b411f8c0793a9

SHA1
2735f01236e2b444a2fe177b128477527a8b39c7

SHA256
532956b031ca7e27a90cb61f1c6e1305b9c80a39522724045c816399bca22137

SHA512
5bf3d74f15cfa474c5390f36f7262e8e9ca9e977dd677944a58671b0c1e590e9b40b1edf0ef2ca0a3b8608d36787da5978942dba4b2205d4c4cb9d5238817e1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.0.cs

Filesize
11KB

MD5
a4fb19dc6b70481ac7ed6f570e2c4f90

SHA1
d8e5711e0ba6ba8ed9771c6da956cfd0c1a38538

SHA256
789b2fb89f8974b2811071d52034fa2e9e7e0e2e598bac8157e87dd333893899

SHA512
3f0c3b3d6b2c99a788e768617ca336b6e1c79f00553e6dbf4d9cc6586955e3a2fc9731af83ca0d6d64b7658ed13282ce4e96f816979dd62e8e9a70f8c21cf220

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.1.cs

Filesize
5KB

MD5
8aab1997664a604aca551b20202bfd14

SHA1
279cf8f218069cbf4351518ad6df9a783ca34bc5

SHA256
029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

SHA512
cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.2.cs

Filesize
7KB

MD5
6fdae9afc1f8e77e882f1ba6b5859a4e

SHA1
33eb96f75ffe9a1c4f94388e7465b997320265a5

SHA256
a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

SHA512
97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.3.cs

Filesize
8KB

MD5
6ba707982ee7e5f0ae55ce3fa5ccad17

SHA1
d094c98491058ed49861ce82701abe1f38385f18

SHA256
19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

SHA512
d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.4.cs

Filesize
2KB

MD5
fae5458a5b3cee952e25d44d6eb9db85

SHA1
060d40137e9cce9f40adbb3b3763d1f020601e42

SHA256
240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

SHA512
25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.5.cs

Filesize
4KB

MD5
42f157ad8e79e06a142791d6e98e0365

SHA1
a05e8946e04907af3f631a7de1537d7c1bb34443

SHA256
e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

SHA512
e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.6.cs

Filesize
6KB

MD5
8ec0f0e49ffe092345673ab4d9f45641

SHA1
401bd9e2894e9098504f7cc8f8d52f86c3ebe495

SHA256
93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

SHA512
60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.7.cs

Filesize
16KB

MD5
05206d577ce19c1ef8d9341b93cd5520

SHA1
1ee5c862592045912eb45f9d94376f47b5410d3d

SHA256
e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

SHA512
4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.8.cs

Filesize
561B

MD5
7ae06a071e39d392c21f8395ef5a9261

SHA1
007e618097c9a099c9f5c3129e5bbf1fc7deb930

SHA256
00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

SHA512
5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.9.cs

Filesize
10KB

MD5
380d15f61b0e775054eefdce7279510d

SHA1
47285dc55dafd082edd1851eea8edc2f7a1d0157

SHA256
bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

SHA512
d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv4rkjsj\yv4rkjsj.cmdline

Filesize
840B

MD5
60dc33061ddbd1b9ac3de08167646b89

SHA1
49c1ef2a11b0c520a0cc82b3d7260c14dd0c6955

SHA256
93996258cd6f29387bc076709d97d052b85f826612f29770748797cb1cbc5a5f

SHA512
1bdf6f2376ecdfdcff3708c62668de6558281b7b8005a87e07d0e5928328cf69cf661784661c27c6ae00fd39a86065f53e82ab095b91d25286b9a4bab73aaa51

Download Submit
memory/1696-10-0x0000000000610000-0x0000000000646000-memory.dmp

Filesize
216KB

Download
memory/1696-28-0x0000000005850000-0x0000000005852000-memory.dmp

Filesize
8KB

Download
memory/1696-15-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/1696-16-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-17-0x0000000005350000-0x0000000005358000-memory.dmp

Filesize
32KB

Download
memory/1696-18-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-19-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-20-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-21-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1696-22-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-23-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-24-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-25-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-26-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-27-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-14-0x0000000005460000-0x0000000005576000-memory.dmp

Filesize
1.1MB

Download
memory/1696-29-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-13-0x0000000004CE0000-0x0000000004E2A000-memory.dmp

Filesize
1.3MB

Download
memory/1696-11-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/1696-12-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/1696-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1696-9-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/1696-8-0x0000000000850000-0x00000000008BE000-memory.dmp

Filesize
440KB

Download
memory/1696-7-0x0000000000580000-0x0000000000594000-memory.dmp

Filesize
80KB

Download
memory/1696-6-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1696-5-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/1696-3-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/1696-4-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-2-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1696-1-0x0000000000BE0000-0x0000000000F1A000-memory.dmp

Filesize
3.2MB

Download