hxxps://github[.]com/NightfallGT/Mercurial-Grabber/releases/tag/v1[.]0

Analysis

max time kernel
190s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Mercurial.exe

pid process

2236 Mercurial.exe

pid	process
2236	Mercurial.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2236-241-0x0000000005490000-0x00000000054AC000-memory.dmp	agile_net
behavioral1/memory/2236-243-0x0000000005700000-0x0000000005720000-memory.dmp	agile_net
behavioral1/memory/2236-242-0x00000000054C0000-0x00000000054E0000-memory.dmp	agile_net
behavioral1/memory/2236-244-0x0000000005730000-0x0000000005740000-memory.dmp	agile_net
behavioral1/memory/2236-245-0x0000000005740000-0x0000000005754000-memory.dmp	agile_net
behavioral1/memory/2236-246-0x0000000005750000-0x00000000057BE000-memory.dmp	agile_net
behavioral1/memory/2236-247-0x00000000057D0000-0x00000000057EE000-memory.dmp	agile_net
behavioral1/memory/2236-248-0x0000000005810000-0x0000000005846000-memory.dmp	agile_net
behavioral1/memory/2236-249-0x0000000005850000-0x000000000585E000-memory.dmp	agile_net
behavioral1/memory/2236-250-0x0000000005870000-0x000000000587E000-memory.dmp	agile_net
behavioral1/memory/2236-251-0x00000000061E0000-0x000000000632A000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeMercurial.exe

pid	process
4496	msedge.exe
4496	msedge.exe
3144	msedge.exe
3144	msedge.exe
1184	msedge.exe
1184	msedge.exe
4832	msedge.exe
4832	msedge.exe
2344	identity_helper.exe
2344	identity_helper.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe
2236	Mercurial.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe
3144 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zG.exeMercurial.exe

description	pid	process
Token: SeRestorePrivilege	4032	7zG.exe
Token: 35	4032	7zG.exe
Token: SeSecurityPrivilege	4032	7zG.exe
Token: SeSecurityPrivilege	4032	7zG.exe
Token: SeDebugPrivilege	2236	Mercurial.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe7zG.exe

pid	process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
4032	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3144 wrote to memory of 3300	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 3300	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 2724	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 4496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 4496	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe
PID 3144 wrote to memory of 1320	3144	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff898e63cb8,0x7ff898e63cc8,0x7ff898e63cd8
2⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
2⤵
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
2⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12162019041037609781,16048831343236344943,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5168 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3024

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\" -spe -an -ai#7zMap24083:108:7zEvent16135
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4032

C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe
"C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.cmdline"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB126.tmp" "c:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\CSCC0190A693DD940068988616E14E96CDB.TMP"
3⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1e4ed4a50489e7fc6c3ce17686a7cd94

SHA1
eac4e98e46efc880605a23a632e68e2c778613e7

SHA256
fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

SHA512
5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8ff8bdd04a2da5ef5d4b6a687da23156

SHA1
247873c114f3cc780c3adb0f844fc0bb2b440b6d

SHA256
09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

SHA512
5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
ee5e8140aa4df3fef0bd484a8b044e69

SHA1
87b4c3bc9e639bf61c11fab433ab5feb086f1cfa

SHA256
e8a81718caf5ad354684bf08ae8071bf4141d558b99639f6e88be95515d54682

SHA512
00b2b8936735013e7cdbc8463835f242ebe4bd5ff955e7e6c58351e0f67ba366a87d446157871f593df7ba83740847abf3cc27137d47423a9db014de383dba46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
496B

MD5
30322550d9f9c54f345ea1c71f3b2e8f

SHA1
b5a3cff2995147279c2bbed7c03b2280ecb286e5

SHA256
4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

SHA512
261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0bebb2c5d17c26d6f965e8cad0da7da4

SHA1
2b319962fd58990c803cd360c9c3278e0a8ab7f5

SHA256
117a98f93b51e513b90bdb0b4d840f0799bbecf7200676d1658d4c05e6d2ff08

SHA512
c7bfbec83d5bd82224ee5c973c55e6b6129d59148e7f6d6f8da52ea1ad1836804ab8cf1de3d614122c0a1818733304a899a90a925e493ceef1240a720f744a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
44cbc7d2d0b9026d5647eb9151b58bb7

SHA1
6611455d221962fabc7283d29b1d986dc9cbb330

SHA256
5116ce78ab7d01855007f9d04ad847e29dc25dd374e894d3a82c7d21ff9c53cd

SHA512
98d91cc56d18b43044cf7729a4d57b2931c69980841f9cddbe8b53ab6b58ec385db2695bf937e886fce64f717b5780b91cc41ee3bc7be4c2cbb05f1b60ecf4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3a3d48176633f64fa60631a8ddc82a13

SHA1
6da504f7016d16ce1bf43a28530839837abe01f1

SHA256
fbce9c89b37603acc27348228000ea638712b62ada3f0c02c40488767d046ab3

SHA512
0c19e2f0363456cfc2cf88a4ae8a0d88fc4591f75c4796cb601d56867928e9fcf7ba7df9342a69097fcc50aff0cfd81d2cfd53ac81828178a848d5070da19758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
0981ec71fd355134219a0c98967979d6

SHA1
8328bc135796aca7ef4772164a5b6763e2c80699

SHA256
db56c71c3d4c8f99a30e56aafdb3e4704820bb0721f060ca22fd4646f9a5b07e

SHA512
200c7c02245e5af908bb596290560098d7c01bbc4536658db78cce1228a3c1f6e184dc7bb0e562ef3e975a070b8a0e6bc05d66fe1fbee83a8eae62553ed20131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5944cf.TMP
Filesize
874B

MD5
6d0932c89f58011302b6d568a0931af2

SHA1
6a3ee053750cdcee295cc591c9e01cc166b00d00

SHA256
e1a820af321006de2668b324071fcf2e204d20562ea705413e2f77eee8c2a977

SHA512
72e31b1fd12383f626f5da48d48caac8212ebe9cfc143d3b0776d37702c3e7950ccceea1830d75ffe9dfddec13017b0d877822db50e6ea5687e23ae9cb27bcb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1b3dfb8371a5f8629ae5b0cd34be576c

SHA1
da59b8fccb902b9cc2f64323cf4b4c341f3327b9

SHA256
ddbe687d4a79810946d1c39af65a50da635cda4efcb3fa0d0e55ea6b3d306c1f

SHA512
666d47e420a0998ee5d7345b1c48ae8879fa96dade428f8f4d83cf441d77bfa190397d3bc839546988826446832f80bdd4f6d29613ea2496b1711301c317a1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9aac84d26194ebf04db23a9e81ffdef5

SHA1
c322067fd6f5a720c2ff33cb9c0bcfb66b9555b8

SHA256
33cfaf49db4558b845964a1fb6f09da01f436b9be507b1f42b151e8bf4e9fc04

SHA512
1b85c6e1805a14dc2484427753dba00d1a75acd4e5217a1cf17281c98bab73784b45e2ab659156612f8bdc19cfb5ec009a14841bfdc2adc065b1cac56e801adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6c4b6fbe0b2748c63fbe33c397d19c8f

SHA1
e031a240947ae188318781c57cfceb82f1772ee9

SHA256
56bac6514fd764a38ae4121805681973844b30e6210b69c0cc39fa05efad7220

SHA512
2333eb14933a536ce2b3356f89b878f7cf540c0b7de1f05ecc1e423009712651b47e0e6b02197b7504e9d281407e56b1b49cc1fd26d9f5eced657f3ae6498162

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB126.tmp
Filesize
1KB

MD5
ebb6de6c3bfbd48742699c33acfae136

SHA1
da7a34c9922baa3ac9dcfc97e97a2989228b076f

SHA256
177e5b4e211ab52af4dbcfa07be7059c5f6457df2075ddee8a112018fe550ebd

SHA512
25b919f13c1b317c1b22b0b395681f85dc626ee28ae452fc68eee578bc533cb37d32afc4206574599e87fac817ba41c82b0dc5927a709f06bae838201ac0d11f

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar
Filesize
2.9MB

MD5
635903bad1ada856d701f34d3070ccd9

SHA1
3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0

SHA256
3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

SHA512
fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier
Filesize
106B

MD5
46a647df3d699b915a543ec7df8fcffb

SHA1
ad94bc8c19ec2fba9f7ac6d0c204e67172d3de52

SHA256
8d47c38e476db29201792ff906034da68a265f336972de25dbf8dce61092f866

SHA512
4cf4f997a6435b4ad9275fb528d7b7c8186ba166804ff07aac5b49f5f1858377c4c9178461a72bfbc53c99eb20f4982fb1f72651d25488791ba27a01cfa7507f

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.0.cs
Filesize
11KB

MD5
6e09c67b55a62916fc9204eff6877bf0

SHA1
5bdd02efc746008dbbb8704eecffbf34136b8695

SHA256
a4962989573ad9ff719db89381e95c64f6e0be84f31d20d346a2df632b9c9adf

SHA512
362aa38ddffeea66f1cb2ba7d42e2f0754c9b1b28a8e7b0f794ebcfc74043349e5ee9e2b58720af89d3612e0d6931b47ac12f11be274ca271227e8e622ef01e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.1.cs
Filesize
5KB

MD5
8aab1997664a604aca551b20202bfd14

SHA1
279cf8f218069cbf4351518ad6df9a783ca34bc5

SHA256
029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

SHA512
cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.2.cs
Filesize
7KB

MD5
6fdae9afc1f8e77e882f1ba6b5859a4e

SHA1
33eb96f75ffe9a1c4f94388e7465b997320265a5

SHA256
a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

SHA512
97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.3.cs
Filesize
8KB

MD5
6ba707982ee7e5f0ae55ce3fa5ccad17

SHA1
d094c98491058ed49861ce82701abe1f38385f18

SHA256
19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

SHA512
d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.4.cs
Filesize
2KB

MD5
fae5458a5b3cee952e25d44d6eb9db85

SHA1
060d40137e9cce9f40adbb3b3763d1f020601e42

SHA256
240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

SHA512
25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.5.cs
Filesize
4KB

MD5
42f157ad8e79e06a142791d6e98e0365

SHA1
a05e8946e04907af3f631a7de1537d7c1bb34443

SHA256
e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

SHA512
e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.6.cs
Filesize
6KB

MD5
8ec0f0e49ffe092345673ab4d9f45641

SHA1
401bd9e2894e9098504f7cc8f8d52f86c3ebe495

SHA256
93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

SHA512
60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.7.cs
Filesize
16KB

MD5
05206d577ce19c1ef8d9341b93cd5520

SHA1
1ee5c862592045912eb45f9d94376f47b5410d3d

SHA256
e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

SHA512
4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.8.cs
Filesize
561B

MD5
7ae06a071e39d392c21f8395ef5a9261

SHA1
007e618097c9a099c9f5c3129e5bbf1fc7deb930

SHA256
00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

SHA512
5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.9.cs
Filesize
10KB

MD5
380d15f61b0e775054eefdce7279510d

SHA1
47285dc55dafd082edd1851eea8edc2f7a1d0157

SHA256
bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

SHA512
d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unrbm3t3\unrbm3t3.cmdline
Filesize
833B

MD5
b4458f8fa1473090cf74e5718f1decf6

SHA1
069b92cc7c6cf0bf1fafe999b7fdfdb2a8bb32f7

SHA256
a6dbc122d91f7be2df7a0e8a704044fa5f012d090587e6123f9657c932836b77

SHA512
e6584ef100e3129fbfb4f34138504908c797353c3296f65281946dcb749b96520d97336f2f22848a1bb2fd41707dc3f07cf9159a9d3040a3842a26ab90de92f0

Download Submit
\??\c:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\CSCC0190A693DD940068988616E14E96CDB.TMP
Filesize
1KB

MD5
2c8070f084ff635f9e016b831cd6ef16

SHA1
84d8287a21eaf176ebd7b3efe8571b3862de873a

SHA256
535d007133ddae112030480aac0b6954d4aac98bcd69b0ef192a010770564a4f

SHA512
f7dd550984e579912cf8fa688c53985308862954688b44482c83c05d61274519812a5ea9b6ddcfcd8972d117c8e3edfa6da0e23f3c8ea17ef0bdab80bf0d4c1f

Download Submit
\??\pipe\LOCAL\crashpad_3144_MENCEMSTIGJHKGPS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2236-244-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2236-242-0x00000000054C0000-0x00000000054E0000-memory.dmp

Filesize
128KB

Download
memory/2236-250-0x0000000005870000-0x000000000587E000-memory.dmp

Filesize
56KB

Download
memory/2236-249-0x0000000005850000-0x000000000585E000-memory.dmp

Filesize
56KB

Download
memory/2236-248-0x0000000005810000-0x0000000005846000-memory.dmp

Filesize
216KB

Download
memory/2236-247-0x00000000057D0000-0x00000000057EE000-memory.dmp

Filesize
120KB

Download
memory/2236-246-0x0000000005750000-0x00000000057BE000-memory.dmp

Filesize
440KB

Download
memory/2236-245-0x0000000005740000-0x0000000005754000-memory.dmp

Filesize
80KB

Download
memory/2236-252-0x0000000006390000-0x00000000064A6000-memory.dmp

Filesize
1.1MB

Download
memory/2236-251-0x00000000061E0000-0x000000000632A000-memory.dmp

Filesize
1.3MB

Download
memory/2236-243-0x0000000005700000-0x0000000005720000-memory.dmp

Filesize
128KB

Download
memory/2236-241-0x0000000005490000-0x00000000054AC000-memory.dmp

Filesize
112KB

Download
memory/2236-240-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/2236-239-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2236-238-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/2236-237-0x0000000000680000-0x00000000009BA000-memory.dmp

Filesize
3.2MB

Download
memory/2236-254-0x0000000008DF0000-0x0000000008DF8000-memory.dmp

Filesize
32KB

Download
memory/2236-253-0x00000000059F0000-0x0000000005A20000-memory.dmp

Filesize
192KB

Download