mercurialgrabber | 77da925157321355fa400b6727269a53fe4bc5c9b269b9a1a1c153656dfb6652

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	merc.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	merc.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	merc.exe

Executes dropped EXE 1 IoCs

pid	Process
5088	merc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
50	discord.com
51	discord.com
48	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com
3	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	merc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	merc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\merc.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	merc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	merc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	merc.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	merc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	merc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	merc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	merc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696845145416055"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\merc.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3572	3212	chrome.exe	91
PID 3212 wrote to memory of 3572	3212	chrome.exe	91
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 1944	3212	chrome.exe	92
PID 3212 wrote to memory of 932	3212	chrome.exe	93
PID 3212 wrote to memory of 932	3212	chrome.exe	93
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94
PID 3212 wrote to memory of 4004	3212	chrome.exe	94

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Screenshot_10.png
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80cb8cc40,0x7ff80cb8cc4c,0x7ff80cb8cc58
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=212,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4624,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4736,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4936,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4336,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3760,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4484,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1084
- C:\Users\Admin\Downloads\merc.exe
  "C:\Users\Admin\Downloads\merc.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1172,i,11378605805602622544,4652119235789407069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion