mercurialgrabber | hxxps://github[.]com/LatenceX/Mercurial-Grabber/raw/main/Mercurial[.]exe

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	caca.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5136	powershell.exe
5516	powershell.exe
6072	powershell.exe
5344	powershell.exe
5572	powershell.exe
5292	powershell.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	caca.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	caca.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Mercurial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Mercurial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Windows Driver Fondation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Mercurial.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Driver Fondation.lnk	Windows Driver Fondation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Driver Fondation.lnk	Windows Driver Fondation.exe

Executes dropped EXE 11 IoCs

pid	Process
3964	Mercurial.exe
2204	Mercurial.exe
5328	Windows Driver Fondation.exe
5400	Mercurial.exe
5456	Mercurial.exe
5740	Windows Driver Fondation.exe
5780	Mercurial.exe
5300	Windows Driver Fondation.exe
5368	Mercurial.exe
4056	caca.exe
4772	Windows Driver Fondation.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/5400-147-0x0000000005240000-0x000000000525C000-memory.dmp	agile_net
behavioral1/memory/5400-148-0x0000000005280000-0x00000000052A0000-memory.dmp	agile_net
behavioral1/memory/5400-150-0x0000000005500000-0x0000000005510000-memory.dmp	agile_net
behavioral1/memory/5400-152-0x0000000005520000-0x000000000558E000-memory.dmp	agile_net
behavioral1/memory/5400-153-0x00000000055A0000-0x00000000055BE000-memory.dmp	agile_net
behavioral1/memory/5400-151-0x0000000005510000-0x0000000005524000-memory.dmp	agile_net
behavioral1/memory/5400-149-0x00000000054E0000-0x0000000005500000-memory.dmp	agile_net
behavioral1/memory/5400-156-0x0000000005640000-0x000000000564E000-memory.dmp	agile_net
behavioral1/memory/5400-155-0x0000000005620000-0x000000000562E000-memory.dmp	agile_net
behavioral1/memory/5400-154-0x00000000055E0000-0x0000000005616000-memory.dmp	agile_net
behavioral1/memory/5400-157-0x0000000005EE0000-0x000000000602A000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Driver Fondation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Driver Fondation.exe"	Windows Driver Fondation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com
73	ip4.seeip.org
74	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	caca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	caca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	caca.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	caca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	caca.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	caca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	caca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	caca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	caca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\TypedURLs	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\TypedURLs	Mercurial.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 70262.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe
4532	msedge.exe
4532	msedge.exe
3124	identity_helper.exe
3124	identity_helper.exe
832	msedge.exe
832	msedge.exe
5136	powershell.exe
5136	powershell.exe
5136	powershell.exe
5516	powershell.exe
5516	powershell.exe
5516	powershell.exe
5400	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5400	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
5780	Mercurial.exe
6072	powershell.exe
6072	powershell.exe
6072	powershell.exe
5344	powershell.exe
5344	powershell.exe
5344	powershell.exe
5572	powershell.exe
5572	powershell.exe
5368	Mercurial.exe
5368	Mercurial.exe
5368	Mercurial.exe
5572	powershell.exe
5368	Mercurial.exe
5368	Mercurial.exe
5368	Mercurial.exe
5368	Mercurial.exe
5368	Mercurial.exe
5368	Mercurial.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe
5328	Windows Driver Fondation.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5136	powershell.exe
Token: SeDebugPrivilege	5328	Windows Driver Fondation.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	5740	Windows Driver Fondation.exe
Token: SeDebugPrivilege	5400	Mercurial.exe
Token: SeDebugPrivilege	5780	Mercurial.exe
Token: SeDebugPrivilege	6072	powershell.exe
Token: SeDebugPrivilege	5300	Windows Driver Fondation.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	5368	Mercurial.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	5328	Windows Driver Fondation.exe
Token: SeDebugPrivilege	4056	caca.exe
Token: SeDebugPrivilege	4772	Windows Driver Fondation.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
5368	Mercurial.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5328	Windows Driver Fondation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 440	4532	msedge.exe	84
PID 4532 wrote to memory of 440	4532	msedge.exe	84
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 1848	4532	msedge.exe	85
PID 4532 wrote to memory of 2736	4532	msedge.exe	86
PID 4532 wrote to memory of 2736	4532	msedge.exe	86
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87
PID 4532 wrote to memory of 2336	4532	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LatenceX/Mercurial-Grabber/raw/main/Mercurial.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe38b46f8,0x7fffe38b4708,0x7fffe38b4718
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,9311016141528703377,6653754406331899367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Users\Admin\Downloads\Mercurial.exe
  "C:\Users\Admin\Downloads\Mercurial.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5136
- - C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Fondation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5292
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Driver Fondation" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5284
- - C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fri3fsrh\fri3fsrh.cmdline"
      4⤵
      PID:5464
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B34.tmp" "c:\Users\Admin\Downloads\CSCACC3DFFEB88348C189A53B3FDB276050.TMP"
        5⤵
        
        PID:960
- C:\Users\Admin\Downloads\Mercurial.exe
  "C:\Users\Admin\Downloads\Mercurial.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5516
- - C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- C:\Users\Admin\Downloads\Mercurial.exe
  "C:\Users\Admin\Downloads\Mercurial.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5300
- - C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Users\Admin\Downloads\caca.exe
"C:\Users\Admin\Downloads\caca.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion