hxxps://pastebin[.]com/gU4Zj4SD

Resubmissions

07/05/2024, 19:43

240507-yfk6qsfa24 7

07/05/2024, 19:40

07/05/2024, 19:35

07/05/2024, 19:31

07/05/2024, 19:26

07/05/2024, 19:21

07/05/2024, 19:16

07/05/2024, 19:14

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07/05/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/gU4Zj4SD

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3920	mbr.exe
2384	bytebeat.exe
4280	ColorA.exe
2984	GlitchB.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3852-700-0x0000000000400000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/3852-955-0x0000000000400000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/2772-996-0x0000000000400000-0x0000000000515000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
1	raw.githubusercontent.com
4	pastebin.com
47	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878097196-921257239-309638238-1000\{3A9738DF-86B8-4050-8CA8-8FDCB9EECD24}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Mercury.C.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4972	msedge.exe
4972	msedge.exe
3140	msedge.exe
3140	msedge.exe
3928	identity_helper.exe
3928	identity_helper.exe
3860	msedge.exe
3860	msedge.exe
1204	msedge.exe
1204	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3476	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3852	Mercury.C.exe
2772	Mercury.C.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4528	4972	msedge.exe	79
PID 4972 wrote to memory of 4528	4972	msedge.exe	79
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 5040	4972	msedge.exe	80
PID 4972 wrote to memory of 4952	4972	msedge.exe	81
PID 4972 wrote to memory of 4952	4972	msedge.exe	81
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82
PID 4972 wrote to memory of 1888	4972	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/gU4Zj4SD
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7ce73cb8,0x7ffe7ce73cc8,0x7ffe7ce73cd8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6772 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12349338363815890304,13642151139942749416,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:784

C:\Users\Admin\Downloads\Mercury.C\Mercury.C.exe
"C:\Users\Admin\Downloads\Mercury.C\Mercury.C.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3852
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\EFFA.tmp\EFFB.vbs //Nologo
  2⤵
  - Modifies registry class
  PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\t.vbs"
    3⤵
    PID:3528
- - C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\bytebeat.exe
    "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\bytebeat.exe"
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\ColorA.exe
    "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\ColorA.exe"
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\GlitchB.exe
    "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\GlitchB.exe"
    3⤵
    - Executes dropped EXE
    PID:2984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004F4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\Downloads\Mercury.C\Mercury.C.exe
"C:\Users\Admin\Downloads\Mercury.C\Mercury.C.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2772
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D3A2.tmp\D3A3.tmp\D3A4.vbs //Nologo
  2⤵
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c16971be0e6f1e01725260be0e299cd

SHA1
e7dc1882a0fc68087a2d146b3a639ee7392ac5ed

SHA256
b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0

SHA512
dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bdf3e009c72d4fe1aa9a062e409d68f6

SHA1
7c7cc29a19adb5aa0a44782bb644575340914474

SHA256
8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc

SHA512
75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
37KB

MD5
c912655c8d691e1a190dbec03d14e653

SHA1
a90a6ea007e121441a0d9c48ea4073a635085f6b

SHA256
35e5f055ba3fc9eb6c89884d533f5484fcb335d0e226145d7ea7a6a1e2da6fae

SHA512
c606bf2711a2be266c69a702d60bbc0d66dc6655c88dd669932f9c3954941a44d6a09e25bf60272ba5e0ba09ee65f4a3d8bd33a215ed2eb76ed601f06fa984d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
1.2MB

MD5
25a7f8dea0207366b4b9d77569ff6f78

SHA1
57a20ac66704e6b2766c6946fafdec22f47ee79d

SHA256
502a9f82d39ef6fca4b4fc1bfd046b9736d8e232c8b1562eed0ca62d149bbfed

SHA512
db300662a1a49ae8417fb013462fc62ab20351c9c458cb60b0b22ec89c1cba410ae03301cefa6464dc58ed332ceb8a2d67eb6b8078c7f2127729594126133024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
90c69bbd2f0e4141532448a36608f5cf

SHA1
63e445e353d1d6c5877bae0d33ea843c1565d30a

SHA256
92bd480a9610edfe9f178378984e6a30f108c0df737495f6d31d5e93e4808919

SHA512
13c136ebeeb12dfb67c07a3cefe9eacb3a2965d83118b95005b07048f95acebfe61bce321f8b5192e1fabb2584f91841951d427573d736c8e31cdc41f0dec02e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2fce668db24acd1029c2414d9e697f1d

SHA1
b93fcc7302382349820254bd1c2fd4f54ed9e65d

SHA256
e4d70d007e20dc1d75785e6874a244c63b83484255e9fdef9d7c33eead89fcbd

SHA512
72ce3b43ffc1eb82a7955fbf610e6a95040af354a409443a0fb8c744b102bae36099f88dc6db392ff48f7c4d427c7731fbea2d33a21defe36da3509f4e741183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
120f914c08a2466d1ac0e3a60f62efbc

SHA1
db91e50fc6cf1d21bed7f38a6448929510892f18

SHA256
00a41772998a76d7dee0faecb2beeef8bc85184e41f54f47e100d47b03aada16

SHA512
7c41ad43922e5ef5fb4345d5a108e56ee05d81ab8e927950c34ec175d3f0b4ab3e2871d95f11921b86c6c1bfdb2c3a80add9a7f57da16be4406ee48846a2b87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7f893e48c421eb4e255bdf9a99f92f91

SHA1
988c34355fafb72382a4088c16900e46ffb75ca8

SHA256
6b9d7f7a90ff1d4a756aa4dd22745f6cace410538491ce4ba3736b1726927419

SHA512
d320552c7486c9b65b837802ce45a70f7ca9c6f44611d575fea8832804645a2b97a549d1a47c4225f574ab3b56d94a201c39527b3f44b60f50f3ec157ad96c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12fc7ba348f2088d7c2ff060a4b406bd

SHA1
4628ea8d087970ab28eef5b6fd027baffb07fa91

SHA256
3036cc19a58e392b78e60247a39a7a92da79e0e55c058531ece84051cc05b258

SHA512
b97c8c72d6a5d2aebbda1e6ab65bd149601b6d097edf999c755122702fe472d6ba9229f9a39335ca83f5b98e44f32115362f5b7e288972901fea02964eab7bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d52a1d16c417a2ffbabe2786d982ebe0

SHA1
36cc5817bc2aac8f3068505a23eca7f5914ec363

SHA256
9b589f30aff478e6ff5b6e4f72ded1e411f2c58f28294232215b29e9fad41e1c

SHA512
e95200250431b032c9f7d8e2c8e6c5e2cb5c2b2a4f52e88be91c875e474897fbdc96866c2814928d2e2eb527bcce9819c8205178fcf6bd998bfad33607e4f4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e07a5b42477041fa5a62fc62d32e00b

SHA1
7e2a76a400b449ef09e2933b202d9ba24a68f116

SHA256
b951694fad50d1f10b73c14e1a2eecd39651500953512f7b9cd8830dce25336b

SHA512
a2fbd093757e2ed6ebad3e28d754a9707f54973eb7e84a47657e51b00fc5b8a8cc2cfbadd95846de1e2ea8da4bb74507ba4a960a539bc11569c63fbff35a550c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
449579bfc86427303f14413b29796b52

SHA1
d8183175e5b03679bd471e08b3e51bac32489654

SHA256
ddeaca91e289fb31452c95131cc6b9b2bf43f2333d6029af7cfc4e9d619b0790

SHA512
1db5c85f99d19fbcb274b4bf0061099942405834a9810380515df79ed532f2cac347fb424c942c42f0d2c238bb12a94432de5097a1bff1208c3506c0d465d9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
619eec78afeb705e63693b4891ede277

SHA1
6102c7de799a55912d1320a17f881976f4426580

SHA256
6cb038b2d5302a10f7ad47cee16b71eafa140b71ce84bed9eb9e47f5bd2c72b9

SHA512
8b4de6368debdd37ca2ba85947206290296c48729aa2aa6638eb77cc7092d62904a6b085f49c07cb06d5588f3f85233d35a0b802c759d4a9ab332afcf5d131cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
e9b89376fc62d32bc55e134cb4d782da

SHA1
db6c70677579248c70d3cc3f029c0ee0e37d6713

SHA256
69a22845a7fc58b5a2c15e4593b0731004bcf0693d16b14dbbae78534b14b566

SHA512
df8e485c528626fa20ecd5f59e5e4cb652e14add439420171c93db3b5c92e65af238f37ff863029317d09f9614785719a2d78354fd970815e01d892568868076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18e4f25a1cb2ee9a86774bc03b75b78f

SHA1
bc83c5f70bdceeb3d34214ab2fddfa04b0af1629

SHA256
a304015244c4b38f4531fd4d98540d7bd8e1e8e8825a223e7df49f4932b4d3fd

SHA512
3106e95421ad1e97cfb52ce66b15a8e66a003f6c1f6501dd2927ae5adaa8b91241d997121e61655d9a432225143a87b693a95e7dfb52594c2f2bab0a48e7cb1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e242a586ecd1fb0a406c93158566fea

SHA1
b49423a765a7dee616a48b1dadede312fb5858bf

SHA256
dc44bfd2e54fc5e92b382334af65400f8e4443564ccc27d5024a2473a5c9d288

SHA512
44e952800bf08ad8f9c8ad8f3366ea642b6ebc6a3575eb82461888cddb25b02fcf97f539e2aa3c3f4802a50740c83b5859e8afc2d06df81fd4c6a8020aaa6089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580eb1.TMP

Filesize
203B

MD5
b6cabc1d27a9a255f3723a280c898934

SHA1
43eec9f0c447185c9f001b49c7480d2fc607f0a8

SHA256
07595a2aa912e4c50c37a5b75d46938d09ebabce2924d40a65c199e5ae856e29

SHA512
5ac12713f2686567cc0a2176c78c3ba999fe336c0c98a785f97890eb96f6eb84c54d545fe84091fd8064be3347807ba71b6347cee163e24b5099bd140cfff528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ed44ba00644eca8b07d7d424c928488

SHA1
e85cf1e11ac11c278b81f3e13150128b3ff28139

SHA256
9ec43e0d6f54b27942a500c73821c1f398f81d480e6e80f6710030f9d874a450

SHA512
a84036d9de827511df6aaf88507cc8a1aca3a8a9f5b3b74cbcf43df9a55619ad56cb17ce09b9951498329f968f638fa6e0bb02dae998703b34729252ffd65601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
df09430ac9ace697a1fad0c2b05a1990

SHA1
0f071845ea727c1eeda9d708030d9c723456062d

SHA256
c372d342ddce8461d2e19568c760d9f77eac219ab787775fe6950751bbbd8977

SHA512
4a84dee0b06b6660abd8d626377d40b9d17fa1e02d949cb3a263f61620e322bc0be94b0f09f9a2dca9813e10233b84c8c756696f01a45604b9e98bc7608e64ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\ColorA.exe

Filesize
107KB

MD5
d50fbc1a509ef70153d458aa657a1416

SHA1
1f92309b9fa0d1ea78c8a67745a4caf763313089

SHA256
f41d9fdcdcebf89ea570158e5d00aff3a7f31970e92b929258777a1bb52d328d

SHA512
48504f06a2f510d85ac4acb6f71b5e4137c08abcc11aef0daadfe29624025b499df93f4389033ab3cc082a0146a251634725026958988c5bedf1bf5382573901

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\EFFA.tmp\EFFB.vbs

Filesize
1KB

MD5
d46581bcd1ba3407e08e4d766f248ff7

SHA1
20c56d9760e6e7b148cc9556d4528badde2cc49d

SHA256
8f0943daaa9eeaa2886e6ec36a144dc74e5036a30be7514a0ae736ce03da145e

SHA512
fc60d7db66104be51d3527eed8daa66d101711cddd7126ae3e4edc1c929a7893c47615523bb8f610d6b1267d071f584ba692938f376ebe1915c30047ba5065e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\GlitchB.exe

Filesize
1.3MB

MD5
716ae76e98dce401a20e692b2c8af422

SHA1
c3b8aa6afc390b4b1b551ef73cf8890afd558252

SHA256
2d51a1794fbdaa664347dfbffc6d5cd6377be80ca05525bbd331c0c8391bd669

SHA512
bc9ac1baead0fef0e4eb6c23c7ccbf8140b7bddc5c5f838a972c18fdd46622a1d008bd89ba65b287b2697544e64c6d98ac61461bfdeb4ac10463a37e8cf2dd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\bytebeat.exe

Filesize
102KB

MD5
6dba963d56ae1fcdfd6e840a52416801

SHA1
5ad332cce4c7556cc0aa72b9d5792f42e3873b3b

SHA256
eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506

SHA512
c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\bytebeat.wav

Filesize
937KB

MD5
0d6e9332c0dcaba834cbf616017b0cad

SHA1
b831a6f54d52424a5c5cbb35a4f201e62a8b5b72

SHA256
007fcb6ef5af82cf8325263d6e55a2aa32418a420866fe53e95f29861663449a

SHA512
db7a92c58f90b60bfb66f40d2d76739318adf6a3981bda720aaf049c4a015100f6a05fa855db315bc553549ee7375f48ab8c0e6facd634cde390391a42aaaa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\mbr.exe

Filesize
1.3MB

MD5
dd85e30ef70c4f0425837a3fe17dbc1d

SHA1
03e19f1a21649b1874633e6f6afe754bf9106645

SHA256
356e86a7609e3475e6d5aace81f673607061c551f91f57b87c3ecbd3943d4181

SHA512
acb6e47380aa371ef12e9d4624c31c524d54228986d75e6a7317896c5eb2517506a8e4341f9e0392a5ecd49820ceeee0a216a2d4f9490123c9620d81e42a91ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\t.vbs

Filesize
314B

MD5
623e9906409c3b8e3fd9b8c93700f5b2

SHA1
dc5f18a87f49eb4fbc042a1057980fb86b0f80d1

SHA256
03b636d34ef16404d2ef33a5a7e4f582165614cbe58f9c7ea47ddd9cf92aaa32

SHA512
58d7e15e4d169ff829eeb5680cc3dd569e9bb9be8e95d11a0c4ae6d126427e2eb97a4c83d8064df4075cbd7db3755be6e0eeb041779c80898180a53697200d68

Download Submit
C:\Users\Admin\Desktop\mercurywashere 5.txt

Filesize
31B

MD5
d564f2e9321d6c7376c046daca1a3e41

SHA1
c20e97fef336e24b87314bfd9e76861d56f1d4d3

SHA256
73814b7c0637a09eb3eb6e7af6df59c0a9303fe7eabccf0b4fffda20613cfa2e

SHA512
0784d78b88dd39567c56224d401450448c284f2f3ab343b8a645a79c9f854a5b6cfd82b35f003477bcbcbf3b74f653e79b6581590fbbc6dc61a01839abd2ede1

Download Submit
C:\Users\Admin\Downloads\Mercury.C.zip

Filesize
7.2MB

MD5
1c3eab4cef444d020a408b42d02a14be

SHA1
3f09306562a6763b22ea9fdb8c96846565bf427c

SHA256
4ecca7c31a019ffc8f7c5548853bf37e41d75ad4e0a18f66afb4d8ae660f3d24

SHA512
d65e7ceb38d52950da074619a4b0b069654ada4cf0809676531b565dccb382937c4381d1752b44d74c4a4cf4935bbd03c16e8e81cdac839b2af8af0a01ab0f59

Download Submit
C:\Users\Admin\Downloads\Mercury.C.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/2384-957-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2772-996-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2984-973-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3852-955-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3852-700-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3920-741-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4280-960-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-967-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-958-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-972-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-994-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download