Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/L...

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/LatenceX/Mercurial-Grabber/raw/main/Mercurial.exe

Score
10/10
mercurialgrabberxwormagilenetevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

jajaovh.duckdns.org:1605

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Obfuscated with Agile.Net obfuscator 11 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LatenceX/Mercurial-Grabber/raw/main/Mercurial.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa52e346f8,0x7ffa52e34708,0x7ffa52e34718
      2⤵
        PID:4616
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        2⤵
          PID:3000
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2336
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
          2⤵
            PID:2040
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
            2⤵
              PID:1932
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
              2⤵
                PID:5108
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
                2⤵
                  PID:1628
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
                  2⤵
                    PID:4772
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
                    2⤵
                      PID:1268
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4728 /prefetch:8
                      2⤵
                        PID:3560
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                        2⤵
                          PID:1256
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
                          2⤵
                            PID:3640
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
                            2⤵
                              PID:3280
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                              2⤵
                                PID:2276
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,1898817512353845008,6041202791210011630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1684
                              • C:\Users\Admin\Downloads\Mercurial.exe
                                "C:\Users\Admin\Downloads\Mercurial.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:956
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4812
                                • C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
                                  3⤵
                                  • Checks computer location settings
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3696
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3140
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Fondation.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4244
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4604
                                  • C:\Windows\System32\schtasks.exe
                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Driver Fondation" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4200
                                • C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1444
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.cmdline"
                                    4⤵
                                      PID:4192
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E5E.tmp" "c:\Users\Admin\Downloads\CSC868087FEC939496FB1E854AA5719F61.TMP"
                                        5⤵
                                          PID:232
                                  • C:\Users\Admin\Downloads\Mercurial.exe
                                    "C:\Users\Admin\Downloads\Mercurial.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    PID:5064
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3224
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2276
                                    • C:\Windows\system32\taskmgr.exe
                                      "C:\Windows\system32\taskmgr.exe" /4
                                      1⤵
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:4176
                                    • C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2884
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:4056
                                      • C:\Users\Admin\Downloads\output.exe
                                        "C:\Users\Admin\Downloads\output.exe"
                                        1⤵
                                        • Looks for VirtualBox Guest Additions in registry
                                        • Looks for VMWare Tools registry key
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Maps connected drives based on registry
                                        • Checks SCSI registry key(s)
                                        • Enumerates system info in registry
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4148

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      1
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Modify Registry

                                      1
                                      T1112

                                      Virtualization/Sandbox Evasion

                                      2
                                      T1497

                                      Credential Access

                                      Discovery

                                      Peripheral Device Discovery

                                      2
                                      T1120

                                      Query Registry

                                      8
                                      T1012

                                      System Information Discovery

                                      6
                                      T1082

                                      Virtualization/Sandbox Evasion

                                      2
                                      T1497

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Web Service

                                      1
                                      T1102

                                      Exfiltration

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        75c9f57baeefeecd6c184627de951c1e

                                        SHA1

                                        52e0468e13cbfc9f15fc62cc27ce14367a996cff

                                        SHA256

                                        648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

                                        SHA512

                                        c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        10fa19df148444a77ceec60cabd2ce21

                                        SHA1

                                        685b599c497668166ede4945d8885d204fd8d70f

                                        SHA256

                                        c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

                                        SHA512

                                        3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        337084bcc79141c06ff58f742df921f8

                                        SHA1

                                        2281721d1103e75fcfdc634d63f091cd9095e562

                                        SHA256

                                        83f56795248585eb6d2ab9849faf41a01b5821048b7367d3186f7340e3713cb5

                                        SHA512

                                        4d5e224c909cc1e11d1a079ce5639b32e41c72e5e905b2ea9525c4c2b6b11c27de07e855b05b7cb0123069a8c075f3d6ba34e800183bab0cfcd8d80ee9ed1a23

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        ab0d369950990dcd19a93e79bebf94cd

                                        SHA1

                                        81b7b4aafde8e35e34802b62d7a42ce2c09554d8

                                        SHA256

                                        7377976e516669d2f2cbf6496cbe99f8b3f994cf2c75f7e1f9658758597dbe90

                                        SHA512

                                        2c57d5f462ede0704a96652ff4fd5eea55e5e0d253c9c407d925b11f13656680ba4c0f3f1abf84dfa1287112348b2770668a9b4935b8f5aae25b58bee7bc967f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        74c3e60533662238d39a047b5de2dc0a

                                        SHA1

                                        818a56093df4d282f6238010eaa0ef4b87b18467

                                        SHA256

                                        571fafaa403558f0f1f057ab03665d7deecfd7db8cbd1926ff9e35fcab78f909

                                        SHA512

                                        afac2115e39c072d488b893045835a888ae9b3d595da662a522cac44cce840a7fec770165e4b7283d0e69cdf1f0e5594916a90adf586aec34c595c6adfe4ad7c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        cb677e34931f5a73136a106b8db4f645

                                        SHA1

                                        28d92c5da695337e6f81c29952902e42801ee821

                                        SHA256

                                        181c2e9cb284ab027366368326fa07a9a4010155b5e1983a51783456a2148d52

                                        SHA512

                                        7af47dd460286023fe8e143940fcbc09e89e41ac54e47d083c11f7e9a8962e31764800554ee3cf606237d2c3e004a12720fdad913a75730f5a9ffab190810b00

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        0a23db8797f4f0436af9ba5147db0328

                                        SHA1

                                        1ad9324c17b369196312e2d4affa529ab92cc04e

                                        SHA256

                                        0d96769b1b8a37e58dd34da5dd7c752283f3cc9003da70d3ce6f6e94f21da8e5

                                        SHA512

                                        3c67b975440b49cc818bfe2d9e7aaf5809fca2997e5222da32704f209ab181df890b2a89a13df084cfbebfb2bab0e18f90171ca16a9894733f47e07bc445e81a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        d28a889fd956d5cb3accfbaf1143eb6f

                                        SHA1

                                        157ba54b365341f8ff06707d996b3635da8446f7

                                        SHA256

                                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                        SHA512

                                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        1af97e100ac889845dd88beb59e323fc

                                        SHA1

                                        dff8416e13c53e0faf8c116c14247b9c96a2c4e0

                                        SHA256

                                        39091b5b3f5da10755c788d4360d14b49373c5a292c7a5e5c1689d950c65ad44

                                        SHA512

                                        0e675d87ae19007e4d54c626a5eb892884beddc965ef9db084066d8bde8927b0e63cd31e6b05a197610a706f8e079e98969de1f2c7a7291215c5f95bf00c547f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        15dde0683cd1ca19785d7262f554ba93

                                        SHA1

                                        d039c577e438546d10ac64837b05da480d06bf69

                                        SHA256

                                        d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                        SHA512

                                        57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
                                        Filesize

                                        3.2MB

                                        MD5

                                        a9477b3e21018b96fc5d2264d4016e65

                                        SHA1

                                        493fa8da8bf89ea773aeb282215f78219a5401b7

                                        SHA256

                                        890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

                                        SHA512

                                        66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\RES2E5E.tmp
                                        Filesize

                                        1KB

                                        MD5

                                        a3b0b62b91d9cb1690a5bee948fcf458

                                        SHA1

                                        4bf6bc99c8082b562b22d4d68e136075fc39d087

                                        SHA256

                                        9b64b577920c16ef016e0872d2766920583bd3f708e9da7d245defbaa21d5c95

                                        SHA512

                                        bc494699519116623e0840dbb7c45308d3042d021c993185440f0d06944a081e403d2978031b23ac8708c655649d44c73b52fd894573bb4f10138ad06ee0d568

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Windows Driver Fondation.exe
                                        Filesize

                                        74KB

                                        MD5

                                        05d6375f717894f6c07eacb16399a613

                                        SHA1

                                        f93a2416126c9535e3909136036933ba09d36bc9

                                        SHA256

                                        40ca2053a545e506a967791f297373c21d6bcd1a6d1636dff35f0d11c912c4d6

                                        SHA512

                                        a308b3b3b659db7df53ca7105ef4013537bb294a4a3711568a0a1770955bc07ccfda8326b9a420762e4ebe484b1cba39c902756321da3ea36e44c8462b952fee

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3dabfz3.p2h.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Driver Fondation.lnk
                                        Filesize

                                        1KB

                                        MD5

                                        dd15fb2c06966c45017a9651a46b7b29

                                        SHA1

                                        e4ac05ef1cce24521896a7e441863dda3a9dd794

                                        SHA256

                                        e67cccb6ce633635975095af1b17a0d216e74d702d90d9135d8e27462dca3c97

                                        SHA512

                                        2d0393140a5c01bc81c696eb79095ddde26e07eedab4164ff15682520d324b5e02939b69950d597b73d5ee06daf95464009eed5d97d8a06d433b2392f8db0c48

                                        Download Submit

                                      • C:\Users\Admin\Downloads\Unconfirmed 757388.crdownload
                                        Filesize

                                        3.2MB

                                        MD5

                                        f9dbd49b84160c028e52f921f499c60f

                                        SHA1

                                        f9b1ff4f3284f2ccf47142c23a35a639556bf46d

                                        SHA256

                                        942093d69485be85812012a795578c8a0500ca432e3edb079fd4fa628bbf6f6a

                                        SHA512

                                        61e45a765fc9f73f2fd2382201b07414640551ee8becdc625c9e7da9aa7dafabb97cdb7bb9cbf1c9871032ae26ce2c01bb2cc929fb797acafa374d1bb116019a

                                        Download Submit

                                      • C:\Users\Admin\Downloads\output.exe
                                        Filesize

                                        41KB

                                        MD5

                                        8d3a4e40058379424525370b5a3fc57d

                                        SHA1

                                        b727ca6810f902e1b086047221a352aceb16970e

                                        SHA256

                                        9212c1fcd4337e0a9bfc465d7493fd51efd51ab1816661b27ddbb5ade829ffd8

                                        SHA512

                                        b065629335be0f3d378834f99b51f9d80b75cf1e5417f987c919dc8bd04c7712f177d6c68f8989ebadc0c99fee1cd3ea25a992cc1fbe52c0581e4d59784ba93c

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.0.cs
                                        Filesize

                                        11KB

                                        MD5

                                        43abcf9d8a996325b8914d310902f6b1

                                        SHA1

                                        ee6b0225a77a030cd1f085dde8304e025a3881c7

                                        SHA256

                                        5e9d62eb167dbb1dd57579ed71fd8bef154fbb843764d65b12caf19d21eb9d28

                                        SHA512

                                        2d9ebcfc930bdbfbd444a5b33570eb63b4fe88502e9514212c21d0fbf8ea4f474c9041f1ec7642777af3c97c6fd707c13aed5a60ac7ddad3467ce4d0c4de3e1d

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.1.cs
                                        Filesize

                                        5KB

                                        MD5

                                        8aab1997664a604aca551b20202bfd14

                                        SHA1

                                        279cf8f218069cbf4351518ad6df9a783ca34bc5

                                        SHA256

                                        029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

                                        SHA512

                                        cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.2.cs
                                        Filesize

                                        7KB

                                        MD5

                                        6fdae9afc1f8e77e882f1ba6b5859a4e

                                        SHA1

                                        33eb96f75ffe9a1c4f94388e7465b997320265a5

                                        SHA256

                                        a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

                                        SHA512

                                        97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.3.cs
                                        Filesize

                                        8KB

                                        MD5

                                        6ba707982ee7e5f0ae55ce3fa5ccad17

                                        SHA1

                                        d094c98491058ed49861ce82701abe1f38385f18

                                        SHA256

                                        19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

                                        SHA512

                                        d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.4.cs
                                        Filesize

                                        2KB

                                        MD5

                                        fae5458a5b3cee952e25d44d6eb9db85

                                        SHA1

                                        060d40137e9cce9f40adbb3b3763d1f020601e42

                                        SHA256

                                        240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

                                        SHA512

                                        25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.5.cs
                                        Filesize

                                        4KB

                                        MD5

                                        42f157ad8e79e06a142791d6e98e0365

                                        SHA1

                                        a05e8946e04907af3f631a7de1537d7c1bb34443

                                        SHA256

                                        e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

                                        SHA512

                                        e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.6.cs
                                        Filesize

                                        6KB

                                        MD5

                                        8ec0f0e49ffe092345673ab4d9f45641

                                        SHA1

                                        401bd9e2894e9098504f7cc8f8d52f86c3ebe495

                                        SHA256

                                        93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

                                        SHA512

                                        60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.7.cs
                                        Filesize

                                        16KB

                                        MD5

                                        05206d577ce19c1ef8d9341b93cd5520

                                        SHA1

                                        1ee5c862592045912eb45f9d94376f47b5410d3d

                                        SHA256

                                        e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

                                        SHA512

                                        4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.8.cs
                                        Filesize

                                        561B

                                        MD5

                                        7ae06a071e39d392c21f8395ef5a9261

                                        SHA1

                                        007e618097c9a099c9f5c3129e5bbf1fc7deb930

                                        SHA256

                                        00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

                                        SHA512

                                        5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.9.cs
                                        Filesize

                                        10KB

                                        MD5

                                        380d15f61b0e775054eefdce7279510d

                                        SHA1

                                        47285dc55dafd082edd1851eea8edc2f7a1d0157

                                        SHA256

                                        bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

                                        SHA512

                                        d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

                                        Download Submit

                                      • \??\c:\Users\Admin\AppData\Local\Temp\g2sdl2dw\g2sdl2dw.cmdline
                                        Filesize

                                        833B

                                        MD5

                                        beb52b75fa9db5a538427adae44f8e28

                                        SHA1

                                        97a5e5c3b3f7de089089e79c50b2f730ab614f8a

                                        SHA256

                                        92a2943faeca3b0fc1b9ef14d1d0913da3d7fe8eaed3261bc0369ffcf7f089b4

                                        SHA512

                                        5773b7ec75b574f6a121bb1cf831cc0e2cd11d28e52babe92f2d769a3fc6c80670b60c2fcebb7782665f483d9a8d806da4ab9c0c23a2897a83b168f5a234fa85

                                        Download Submit

                                      • \??\c:\Users\Admin\Downloads\CSC868087FEC939496FB1E854AA5719F61.TMP
                                        Filesize

                                        1KB

                                        MD5

                                        2c8070f084ff635f9e016b831cd6ef16

                                        SHA1

                                        84d8287a21eaf176ebd7b3efe8571b3862de873a

                                        SHA256

                                        535d007133ddae112030480aac0b6954d4aac98bcd69b0ef192a010770564a4f

                                        SHA512

                                        f7dd550984e579912cf8fa688c53985308862954688b44482c83c05d61274519812a5ea9b6ddcfcd8972d117c8e3edfa6da0e23f3c8ea17ef0bdab80bf0d4c1f

                                        Download Submit

                                      • memory/956-60-0x0000000000CF0000-0x0000000001008000-memory.dmp

                                        Filesize

                                        3.1MB

                                        Download

                                      • memory/1444-119-0x0000000004E10000-0x0000000004EA2000-memory.dmp

                                        Filesize

                                        584KB

                                        Download

                                      • memory/1444-128-0x0000000005150000-0x0000000005186000-memory.dmp

                                        Filesize

                                        216KB

                                        Download

                                      • memory/1444-117-0x0000000000070000-0x00000000003AA000-memory.dmp

                                        Filesize

                                        3.2MB

                                        Download

                                      • memory/1444-118-0x0000000005490000-0x0000000005A34000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/1444-120-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/1444-121-0x0000000004DD0000-0x0000000004DEC000-memory.dmp

                                        Filesize

                                        112KB

                                        Download

                                      • memory/1444-124-0x0000000005070000-0x0000000005080000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1444-123-0x0000000005040000-0x0000000005060000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1444-147-0x00000000087D0000-0x00000000087D8000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/1444-122-0x0000000004EB0000-0x0000000004ED0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1444-125-0x0000000005080000-0x0000000005094000-memory.dmp

                                        Filesize

                                        80KB

                                        Download

                                      • memory/1444-126-0x0000000005090000-0x00000000050FE000-memory.dmp

                                        Filesize

                                        440KB

                                        Download

                                      • memory/1444-133-0x0000000005430000-0x0000000005460000-memory.dmp

                                        Filesize

                                        192KB

                                        Download

                                      • memory/1444-132-0x0000000005B90000-0x0000000005CA6000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/1444-131-0x0000000005A40000-0x0000000005B8A000-memory.dmp

                                        Filesize

                                        1.3MB

                                        Download

                                      • memory/1444-127-0x0000000005110000-0x000000000512E000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/1444-130-0x00000000051B0000-0x00000000051BE000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/1444-129-0x0000000005190000-0x000000000519E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/3696-107-0x0000000000A80000-0x0000000000A98000-memory.dmp

                                        Filesize

                                        96KB

                                        Download

                                      • memory/4148-256-0x0000000000A80000-0x0000000000A90000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/4176-143-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-134-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-140-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-141-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-142-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-144-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-145-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-146-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-135-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4176-136-0x0000015A83CD0000-0x0000015A83CD1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4812-84-0x000001DA45E70000-0x000001DA45E92000-memory.dmp

                                        Filesize

                                        136KB

                                        Download