Analysis Overview
SHA256
3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
Threat Level: Known bad
The file Mercurial.Grabber.v1.03.rar was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Mercurialgrabber family
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Subvert Trust Controls: Mark-of-the-Web Bypass
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Checks processor information in registry
NTFS ADS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 04:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 04:02
Reported
2024-11-22 04:08
Platform
win11-20241007-en
Max time kernel
212s
Max time network
279s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 04:02
Reported
2024-11-22 04:14
Platform
win11-20241007-en
Max time kernel
701s
Max time network
704s
Command Line
Signatures
Mercurial Grabber Stealer
Mercurialgrabber family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\Mercurial.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New folder\Astral.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\NodeSlot = "9" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0 = 5000310000000000475985601000372d5a6970003c0009000400efbe47598560475985602e000000d69e0200000004000000000000000000000000000000e52d520037002d005a0069007000000014000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\NodeSlot = "8" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt:Zone.Identifier | C:\Program Files\7-Zip\7zFM.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbc193cb8,0x7fffbc193cc8,0x7fffbc193cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6016 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1044.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D0332BBF6C542CCA1F325DD60CC69B4.TMP"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87EB.tmp" "c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSCE697E9545DE44D7E974EC4AC422D4846.TMP"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amkhmin4\amkhmin4.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2331.tmp" "c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSC52A4F268BF93462082EAEB7C1C831AE.TMP"
C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
C:\Users\Admin\Desktop\New folder\Mercurial.exe
"C:\Users\Admin\Desktop\New folder\Mercurial.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilzydkvc\ilzydkvc.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EA5.tmp" "c:\Users\Admin\Desktop\New folder\CSC4495BD147024473FAACBD3E696C2954A.TMP"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
C:\Users\Admin\Desktop\New folder\Astral.exe
"C:\Users\Admin\Desktop\New folder\Astral.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 2.21.134.74:443 | r.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.18.19.73:80 | hastebin.com | tcp |
| US | 104.18.19.73:80 | hastebin.com | tcp |
| US | 104.18.29.213:443 | www.toptal.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| BE | 64.233.184.155:443 | stats.g.doubleclick.net | tcp |
| GB | 142.250.179.227:443 | www.google.co.uk | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 104.18.19.73:80 | hastebin.com | tcp |
| US | 104.18.19.73:443 | hastebin.com | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| GB | 142.250.179.227:443 | www.google.co.uk | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| N/A | 239.255.255.250:3702 | udp | |
| N/A | 239.255.255.250:3702 | udp | |
| US | 2.21.134.75:443 | r.bing.com | tcp |
| US | 2.21.134.75:443 | r.bing.com | tcp |
| US | 2.21.134.74:443 | r.bing.com | tcp |
| US | 2.21.134.74:443 | r.bing.com | tcp |
| US | 2.21.134.75:443 | r.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
memory/4396-0-0x00000000751DE000-0x00000000751DF000-memory.dmp
memory/4396-1-0x0000000000070000-0x00000000003AA000-memory.dmp
memory/4396-2-0x0000000005400000-0x00000000059A6000-memory.dmp
memory/4396-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp
memory/4396-4-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-5-0x0000000004D20000-0x0000000004D2A000-memory.dmp
memory/4396-6-0x0000000004F40000-0x0000000004F5C000-memory.dmp
memory/4396-7-0x0000000004F80000-0x0000000004FA0000-memory.dmp
memory/4396-11-0x0000000005000000-0x000000000506E000-memory.dmp
memory/4396-10-0x0000000004FF0000-0x0000000005004000-memory.dmp
memory/4396-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/4396-8-0x0000000004FA0000-0x0000000004FC0000-memory.dmp
memory/4396-13-0x00000000050C0000-0x00000000050F6000-memory.dmp
memory/4396-15-0x0000000005120000-0x000000000512E000-memory.dmp
memory/4396-14-0x0000000005100000-0x000000000510E000-memory.dmp
memory/4396-12-0x0000000005080000-0x000000000509E000-memory.dmp
memory/4396-16-0x00000000059B0000-0x0000000005AFA000-memory.dmp
memory/4396-17-0x0000000005B00000-0x0000000005C16000-memory.dmp
memory/4396-18-0x00000000053A0000-0x00000000053D0000-memory.dmp
memory/4396-19-0x0000000008310000-0x0000000008318000-memory.dmp
memory/4396-20-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-21-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-22-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-23-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-24-0x00000000751DE000-0x00000000751DF000-memory.dmp
memory/4396-25-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-26-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-27-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-28-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4396-29-0x00000000751D0000-0x0000000075981000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 76fbe77cbc68f3bd5f0decad25775716 |
| SHA1 | 2ebc2dea0b2224ea73fb5413d94ad38218122bf3 |
| SHA256 | 8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6 |
| SHA512 | 1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e11c77d0fa99af6b1b282a22dcb1cf4a |
| SHA1 | 2593a41a6a63143d837700d01aa27b1817d17a4d |
| SHA256 | d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0 |
| SHA512 | c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c0a1774f8079fe496e694f35dfdcf8bc |
| SHA1 | da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3 |
| SHA256 | c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb |
| SHA512 | 60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b |
\??\pipe\LOCAL\crashpad_3056_CDZHRICEMSNRZLNQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a55f0652bcad468a3c0a66c1ae3e93c7 |
| SHA1 | b01a1b9146c8b97b49511e295e900edf56c94277 |
| SHA256 | 9684ef89f0b18dcc0d5fb8af9d73d7ef0cc6ada1e3510ad97b9dfed40563e9a9 |
| SHA512 | fefd903b172069e262846bc967d9e6e865d31505fc3ac2654a855ca6fa66ebf8af97607e7c6f168c9c0b777498bf31fb875de0bf6dda7017634f108bf99f8227 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 31bf12684f114e122b2f61b45fc01bd9 |
| SHA1 | f923f6f3a000f1592017f8eea492fe96156c8454 |
| SHA256 | 02189a8414e861b5a328d8e1a2ffb4f991f4eae2db4e5d8a9a3e36c8477ba7bb |
| SHA512 | a0ece6265f3711bd586f6916247cd0c283e202c21419e51039af1b5512127aa7009b15a6de58a392a35a1f5b6b47f73e09166381b43ad689b14718aa291af31e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e47f724f5de462bed937a1d0aca11352 |
| SHA1 | 7c4d71c21711bffacd465b069a3291d07728522c |
| SHA256 | f4026098a9a75fadb827dfbbd5ae2495ed7df2b6c4375ab0b29db44f308cd0e8 |
| SHA512 | da39cda6bc3b6e362a0635f4eb95a1d4f64050efeea2c532247c641384101ede705df41d7cc9bd0eb6fd3c858b68a5c8cb2ef4767c1c9f4f585f06207d6b6016 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 80f861dbda25db94b77c3ff5c7490be5 |
| SHA1 | 1e8f08211d67f6a381d433cf276fa0eac403fb77 |
| SHA256 | c0197653daf3b653e627012780e0b3ff1962ab8da38ec41801400452985130bc |
| SHA512 | 597adfd97a5d8c9921a3e34af7c81e8e3ae5351ff7fac224d49bcd8e621a6b498845172ada3a373b2b5daa78c56b92e4cb319aabe15b7de34268d24de12e8a05 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2d84211262bd6d786eff4e6ffa6f0256 |
| SHA1 | b529dee28d3885da199229c468a84fcffb8388ef |
| SHA256 | 91b04b7d63186f11d057e88d045c841d314832e6b1bbeeb148ed30d94f2ff1a0 |
| SHA512 | f179496021c39f83c6a2e0ac85f211d3bb0171e8015041c23ca1c851a86d9cc3008781188c81ddbe307f0996b584c4620edd1e0ab2345bf02c1d172642fe25c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | a78cd431b52e9a63c85d1303107d7815 |
| SHA1 | 57c0aa07a2b8fabba69c971e8f6b18066e4fc3ef |
| SHA256 | c8e1322f1e09e0532a2fc208ffb3942989b30f96cc5504f20546a465a872efa5 |
| SHA512 | 6b63be48e2a8c724c8196a817bd3dd26a6d0e7279df39435e9ef0c60cd73b25628f2ee31a679224a56b4fbbc894af4d05002ed64f5df6cf29575fc1f0e8a69d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ae4b4.TMP
| MD5 | 91c0cc0fdbe962302228015883b38c21 |
| SHA1 | 60b1faf34a2810038368261cb240785af77b7072 |
| SHA256 | ff71f4461766ddd82e380da14f5fd288aebf0eb8881502fa941c8052aa1da54c |
| SHA512 | bbaf5bc9e027289d3512e71ec0908ce9684e8f5c04d745fb9a341f18e8aa6577ecf150bd1a53f0b4b37a5bfb849425956f53462814aff1ed882efb9063d96811 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 243255cf0766a4ad1c69ff9920b5257f |
| SHA1 | 56bf3572c67a32a82bf5bac44c3c4a9978fdd30e |
| SHA256 | 864855fb0d3fa2db063e2aa181de1a24209b98adfc1f85c117195e6c4b14e547 |
| SHA512 | d79f08e476ed92909f358acd09ded5187811c5b162555e1e6f1038bbe4ca5bdfcec71983483dad53cb6051bd61f8b2399ea1100cd28b881f02da9482eab3c788 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 194135cc23ac920d1518f7410520abb3 |
| SHA1 | 1b2b357e097f397e8de628089d999f0c05b4a8d4 |
| SHA256 | 3dade5c083d257c09b25001992d1f89a587de961e16220fd0a36a4b634e0683b |
| SHA512 | 7d6b34c3ea2c569224e80c4a26f9157facc9cc5fb365b34c190aaa7e3b5b03de1eafcd78b3a8045f37e2d930da09d21b9151ed836653d1df4600e1b2ed327d6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ba4d8.TMP
| MD5 | 29bc097bb4c00ccc745ec8e014b17243 |
| SHA1 | 829a0ba5b1bad2d049e55b814b5905c35df77427 |
| SHA256 | 88ebef4797dd9beee61ea722715db2223dd0547dea1b7e42f3241656ceee0e84 |
| SHA512 | 45d3c2543a7b692745180f3a232f6e2e6db2886b5f29c2e2ff5b9c24c5df1e539fdfe19ea4ac94ab946f90754bea9cda4288a408c203c28136d527c65af0c432 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | df091b50e95d1b864ac70d7e652ed0de |
| SHA1 | 50ab10065f5f2a74f5f6be75bd614fb2b6f061ae |
| SHA256 | 2a2ea547b24a8ea66a5d2aa2229087ba6da19d6e717460907370ce64192919de |
| SHA512 | d9388a22e655a8033b0f2cf69ecaecbf9768780c776ab2ce6156315889d83921e9c2f8944ed19eab102ec88b6592e6bbfeebaedaaad43bb3dd95f0f187513400 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 554854b01f1edd48b1d067fc3184d69f |
| SHA1 | 235899a233b55dd9ad2d73875cbb5c8b2dd3b798 |
| SHA256 | cdc01c42e9e0a64dc87da8cbbcdb0379113561c595a46c89b7b2359c6ebb23ef |
| SHA512 | 4a9b9a667fd6037b45d432db339d39461b7b0208a5834d6bcce7aa295a1d51a08ac224bad1e023d5f896b9cacb9f72ee354a46ad5fe2c70357383af1e61edf76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 7b32c8c0e00640bf5c5b8c56ebb03b79 |
| SHA1 | a769a2618d51bf73d40921090f3666c5f5694be2 |
| SHA256 | 88fb6127814deef02ac4c71c786846869d756fd02741d807b7a80f4c12fa76de |
| SHA512 | 6c4f302626c456081ca0a05b53911183fcca158b9c724ee3047578bbf81caa858ac3c721f547da2bc08a2ae010ec07bcd671b3139e92774c908d3143836fbdf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b369b5f87db14a498fd70033062f1d61 |
| SHA1 | 6ba81effc7e53063b1254d0241dcbbdb1a87f736 |
| SHA256 | 8da7a4fe8fc21e303da9ff553e26a2214faaf3821a7702d50411bf3a5586b354 |
| SHA512 | 56fbbccd8e30c71dd81bace9dd38eb825493181f396ce85ab6f664f33a821343632b7865ad63d01ac3ab5a54b99e65e2298993a32fb5012d2782e1b153477af7 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.cmdline
| MD5 | 696de897f7a0ee72e096007bccf0c83b |
| SHA1 | 2e4a19973d93e577f7dfa7007565e2029e5cdf6a |
| SHA256 | a3267b162f65db6e270fd4a08db25e0031beb827b3867bbc3a1e0cc9d6ed9bb0 |
| SHA512 | c05b2f4b577cb894987a45c6ee073d12936b400f56e63218af219afb945c96bf8ded6e85177220b34b6881e8ce1a3ac77aea1a287313623fab04d266fc841133 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.0.cs
| MD5 | de9c8e308ea1c808defc4d56d6b0a935 |
| SHA1 | 3a127dc7690d35dd7c71137c5176da7004ca32eb |
| SHA256 | 34713e637fb653d19e7b650499cb9c524fba3c7d92e5c8b2ef4e449f80b8b945 |
| SHA512 | 0df465061f84b860cf1a6fbeaf8a26728f95389ecd2e6daab372843fbf85f43d97a7e2e81e57e433adc4448f3218236c36bc7bdebe837bb6a36a9b3b7c934ea3 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.9.cs
| MD5 | 380d15f61b0e775054eefdce7279510d |
| SHA1 | 47285dc55dafd082edd1851eea8edc2f7a1d0157 |
| SHA256 | bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717 |
| SHA512 | d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.8.cs
| MD5 | 7ae06a071e39d392c21f8395ef5a9261 |
| SHA1 | 007e618097c9a099c9f5c3129e5bbf1fc7deb930 |
| SHA256 | 00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718 |
| SHA512 | 5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.7.cs
| MD5 | 05206d577ce19c1ef8d9341b93cd5520 |
| SHA1 | 1ee5c862592045912eb45f9d94376f47b5410d3d |
| SHA256 | e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877 |
| SHA512 | 4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.6.cs
| MD5 | 8ec0f0e49ffe092345673ab4d9f45641 |
| SHA1 | 401bd9e2894e9098504f7cc8f8d52f86c3ebe495 |
| SHA256 | 93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac |
| SHA512 | 60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.5.cs
| MD5 | 42f157ad8e79e06a142791d6e98e0365 |
| SHA1 | a05e8946e04907af3f631a7de1537d7c1bb34443 |
| SHA256 | e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed |
| SHA512 | e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.4.cs
| MD5 | fae5458a5b3cee952e25d44d6eb9db85 |
| SHA1 | 060d40137e9cce9f40adbb3b3763d1f020601e42 |
| SHA256 | 240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06 |
| SHA512 | 25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.3.cs
| MD5 | 6ba707982ee7e5f0ae55ce3fa5ccad17 |
| SHA1 | d094c98491058ed49861ce82701abe1f38385f18 |
| SHA256 | 19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797 |
| SHA512 | d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.2.cs
| MD5 | 6fdae9afc1f8e77e882f1ba6b5859a4e |
| SHA1 | 33eb96f75ffe9a1c4f94388e7465b997320265a5 |
| SHA256 | a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d |
| SHA512 | 97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9 |
\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.1.cs
| MD5 | 8aab1997664a604aca551b20202bfd14 |
| SHA1 | 279cf8f218069cbf4351518ad6df9a783ca34bc5 |
| SHA256 | 029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f |
| SHA512 | cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda |
C:\Users\Admin\AppData\Local\Temp\RES1044.tmp
| MD5 | 0a346c79ee4c5c992c802e98b202de11 |
| SHA1 | 4f148850e8d83da6b8bdbfabb0a28eb48114ce91 |
| SHA256 | 963cb76ae90cab4bf891000f862c7c3074ad140afe69124fcd9a60f62549a72e |
| SHA512 | e750725f01dcab4836442478b8ca2a0dfd1b54e472d32b0c65c44b0bfe974ab4a0b5177451da2648f8e64d582b6819bb09c3ccf76e5d5e6d3984410c466b4c38 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D0332BBF6C542CCA1F325DD60CC69B4.TMP
| MD5 | f6fafa0f9c28b0ea4b7c60e5038d6083 |
| SHA1 | a830e9340a199b730039a5160f30154a86f7dd98 |
| SHA256 | abc6f3961527fc33e6c06ec9472ec98e3af78bf0afd42bd5bbc444eb2f80a761 |
| SHA512 | d739eb14ff6cc590f54f1f8263fa66b557b3198f0a645b6d584dcef2be7aa357d036cdde2d0649126a782269a489109e77eb68ac31d30aa055d7970af6de5acd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | bdd9718fa197ea63c48dc754db3c6345 |
| SHA1 | cf7ed7f3b46d5304c9800f74cb0aaa1c43f94660 |
| SHA256 | 7b3419a933ff1322fa2d411315c8427633c684008c4ee5a985600396776def62 |
| SHA512 | e44507e8042b3026ccfa71f6b599fe0a7824d28ac6995ed99e164c6105dc4268951f69c9c210634f8b2468ebd96e85b67df415e938f41a72b27ec84ebd0da9d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 79ed281ad51009f196de988de419a613 |
| SHA1 | 140cdddebd948cbd6a50c7b37e4cb0a767822079 |
| SHA256 | 59c0292ea64646a157327c86d598d969477d0cd6064dab8ad48345ed0d4c8531 |
| SHA512 | d43106b82fd2ed5d54179b61db86066b013771ef4dc891b3fad48c212622b8629bcbe2c805dbadf74c13b541fd14e19c94393de5a48452803e5344bfd1aba365 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a0db3c5f68550b5e4d0608248f9af0af |
| SHA1 | 6176a2f4ca63efe20db87e809a3b28e064977d35 |
| SHA256 | 31d9083cb29c4d5f50413568c46e695670b90a732051eb0cc7ba903b340378af |
| SHA512 | bb1d95c87cd50d756654fd2aa43b5a6db24cf41890237b3520f3baebd4e9e64dde61b79c67980ab69ca15854c5f318c401d7075d74320afc4817ddf195363936 |
memory/4396-411-0x00000000751D0000-0x0000000075981000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 98ed102a6426539e8db3f39604567d61 |
| SHA1 | 32f9a4edc1f682af3be474fbd06cad0d8fa04226 |
| SHA256 | 8489947d7edfb52515dcaaa44c6e25777973986bf209ddaa2128035b85a0d81e |
| SHA512 | 2b16a09fd62929ab91ce032272dd2a4c0153f38e2d571bc463f6cabe95ae9708735399f5b9c7fbc7a9faa0bc670071e35be968a4ed0471c0573985b98e783084 |
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar
| MD5 | 635903bad1ada856d701f34d3070ccd9 |
| SHA1 | 3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0 |
| SHA256 | 3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6 |
| SHA512 | fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015 |
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier
| MD5 | 3f88889b5f62c0d08592c16aa3ec30ee |
| SHA1 | 51942ae8526ec69e1fc0f73ccd36c43545206963 |
| SHA256 | 404a84d490d5ded875ca498cb64a3f50b7acbd95a89e80efba71206cf8603224 |
| SHA512 | de009167642df3f8ba2dca605c93cc3831957ee67c93ec380df9cebc14d89a42123281ea9d8b81ffa8cd80ac5a75e00e4dd1221a658431166229e7e685b0059c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fc5a60c3b9faae9629c2899914091f36 |
| SHA1 | eefad8fbf067e359db40984673223e515ff9274a |
| SHA256 | c68024189c5f0a3ac2457cbaa2094e0a92b90cb4dbed56358e6a7b140171d949 |
| SHA512 | 9da32e849a22e19923f66290d5236d163d664e52633979aea4ef813294613d9d8b12a6db754d072f649746d9a854396348f7cbcaf76168412cf15ef0db5e0f68 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 126d1b42c007fdf850faa034f73ee0a3 |
| SHA1 | c61b4f7591a5c422830734e253bfcfe8c8b342be |
| SHA256 | 169d63ecd47896d1e585e20129c7d93425575ac942ee37b19b2cca1539f2dd85 |
| SHA512 | fc6b4a1ece2953ec6e5fd200ed30b38cf96e4a3102ac4fa6a7c57b4ce0638e34de46a05679d3bb0b609d11fa6556dd75d95a6e254155cbffb9e6b0880edc8570 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 184a19f1e81cfa675fbd2bb2e77eecdf |
| SHA1 | 352d1cb5fb15c57db71101ab10ca2b513ceddea9 |
| SHA256 | f168433445fff683ff80445ed14a9528a23457e4dba635b1748d81d56fb8e11c |
| SHA512 | c0dbba94a8585ace80cd80bfba303c3dbcf8ec7c9ab5d8a89893806c84f198be39ee5297c560a29911f1627b787cbe42e16bc4c3308aa09e167f915461046570 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 56282b9ac5bf03795d959e000d03981c |
| SHA1 | 0e0e159cf0184ada9d033edafb4b04d58fed606f |
| SHA256 | 9d79b564f0f02e789ee5684dd1427093947c979942f27b5bc91171febced80cc |
| SHA512 | 417019812af8781f013559ab03c6a2b59f0e04ad1ddd48ccd629ee3969ecce9eeeeb7711d5e70def0bd0b33bbc4eb4f081f96e7c5d5fa3463d48a9c4832e08ae |
C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe
| MD5 | a9477b3e21018b96fc5d2264d4016e65 |
| SHA1 | 493fa8da8bf89ea773aeb282215f78219a5401b7 |
| SHA256 | 890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645 |
| SHA512 | 66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mercurial.exe.log
| MD5 | 2cd056bf2cb201147013842c7e70bd08 |
| SHA1 | f01f285a3c8121db0bd64d58055838afbd8f44bd |
| SHA256 | c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188 |
| SHA512 | 2b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f877003c5f10c8e14a5b95e3b5602116 |
| SHA1 | efcc102a59569230997bfbc4a9ad789c20e6b9fc |
| SHA256 | ad7bf8bfe5906d19d32139ff91a020f01d7032e34485275d0b388641afe87285 |
| SHA512 | a07a986263459ce14dee7567a730732bfcdca700689736cd6c0253f895542ef77f66c38698fb52692e8441304ff06f8ceccb45e54b88c8a4902d40edcb9bcf86 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ca8348684dd0855dd936c7153f915ece |
| SHA1 | 0e1389574ce1f97fd0288b8dff4dbaba62aea840 |
| SHA256 | 74338d331c0f31e55a66af2453f079dbeb3e168e7342e3ba10ecc16b892049e2 |
| SHA512 | 5d1c1539c7cefab31af75fa72396381b47d2914d0ae0d990935313f986fc21af3baf3e301318a7cbe5482a05f17822ac087ad3ae96a2a7ce691cbc51179030db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4900d20ef84f1beb267dbbd9702f784c |
| SHA1 | 3aa9fd606f95102ace59ec0d04074f81018096d7 |
| SHA256 | 5b8eb22c0d0d5f5f06756da40b7a542efb4aa9b642b2c869996d37548d7eb77a |
| SHA512 | 14a9d89361c62055af3160d3e33be62500648712cffa58d756de114dd538d2f1d06196fe397662697fce8cffbe05469bb7d7cf7df7022555807e82d5a3a0a0f6 |
\??\c:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.cmdline
| MD5 | 504d6ed39c57102e32f99335f371ecd5 |
| SHA1 | b33a9f64b67447ab495445d9671c5007833d903e |
| SHA256 | 22042dcb82c7fa2eebeecb8c4878d6d32a0358ff4b1204dad4bb63332a35268e |
| SHA512 | bf18f5743d1565f71616c8e7a79fbbf56998e368738a21aef7db7cfc99cbf13a90004f5efb1936781dd5ecbf33a16b3b9db987722a47e0d6aa38fbea3f056ea2 |
\??\c:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.0.cs
| MD5 | a692910eb2bf815176694dd95debf741 |
| SHA1 | 8857cc254b760c602606aa13d4ed32f744a45910 |
| SHA256 | 5cdafdde20039dcfaefe53c0240e4c76602dc9b4282cc085aaa969a8bd40763d |
| SHA512 | 79749d0c6b4c793cc24e633c8b7230d30887129b5fb9778b1aa16ee049a552cdf82250ad359a5b908e58ffd3c1f16d8c6f5c1d28bf62bc0d6404a10e24c15507 |
\??\c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSCE697E9545DE44D7E974EC4AC422D4846.TMP
| MD5 | 1281da0b392165aed62b790a68759e75 |
| SHA1 | bd457547a4852ab49799fbc53a94a7fe5a265e2e |
| SHA256 | 62dedba620928fed42856adfc6ee6091f0158ea10c4f31ef92e24f5d4e6d29ae |
| SHA512 | 6bba0ff1a45edeeb8baa00d7d9b980cc218c66000f95cbaac7e55de6c01439f6b50e4bb01d4d1c6198784f08878aef7ae73bdb21df8b71921af2a45d364bf624 |
C:\Users\Admin\AppData\Local\Temp\RES87EB.tmp
| MD5 | 4ba55d80cd716315b4dca54135febdb6 |
| SHA1 | 87f0661d264e0abd9b338a7211437879ef96bfba |
| SHA256 | 1ce8a14c3f0a5785239838bf8c3816daa521ac98f9bc2eca27b568ef4f407a35 |
| SHA512 | b30948fbf2960755f9a23eeea9ba02a48c21d81c932f4288239b142b33d3727dfb4ccc6ae9ba891ea2ef6dbea30d312bf7d0c6d34542513ff237ba3fb1a2cc0f |
C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt
| MD5 | 77976ab4f7b14569dd64f212ce6ee64e |
| SHA1 | f442ef7a74ac6922628bc8ba03ea08e62f83253e |
| SHA256 | 044b863e9895e669d45d97d44a4f80f2b9ac5f941635ef3c1e9f39ad12747ecf |
| SHA512 | 52d4b884b2462449576fe9dac654de500985b53d0262472d88a1bc659b3a5ffe0ed5f0581c50ef006c3b3d7dbf816a80d21e6b6f4c03b595bb108a4360a60723 |
\??\c:\Users\Admin\AppData\Local\Temp\amkhmin4\amkhmin4.cmdline
| MD5 | fba0bbe0ab690795f3ecb225d160917b |
| SHA1 | 61fc5246b542817e2808ace638560951ec937ff8 |
| SHA256 | 043247fe34b547785184b9a80fa81d0c8853ece3b1a4dbcd2cd08aa5702b71eb |
| SHA512 | 4b39488041f1cd3573a24b6c741565965b801441e1d610abbd81b966deceec1d3e8310f3a1e7436d9afc3fd88b9bf8077ae88ded8d26c3be998b5c7eeb9456ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8e538514ac5ff66a752bfde297493522 |
| SHA1 | 41932ed5b667c68b48469df6c665d20f953144f3 |
| SHA256 | 6487648700f34961644ff81e4101b3f21ed0867739690b3e179dae31edc9df93 |
| SHA512 | 36a6984624bb9cda50ef6e8126b02a20f396c4047f2c2f8db17aafc6babb700499011d787b4f2994da88cc6665e3e27a4f6fb8a42b006fbb3060612b4e3faf1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9ad14a206a3a46f235a7c9d3504c8eee |
| SHA1 | f0c847c80353a059a99d39396303e1b58f10099b |
| SHA256 | 54f1fe770ae2dbc11df94a39152fb51dbb691fdc57c326b1d901257536bc609a |
| SHA512 | 26cdd133d155c899b946af571c1384b4f8758f752255e9259d920ae7fa6243128e3cc7671561be0858f6ca6a5cffa435a9dd53460221b79138a5acdb2e053d50 |
memory/4072-868-0x0000000000160000-0x0000000000170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\login.db
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 04:02
Reported
2024-11-22 04:08
Platform
win11-20241007-en
Max time kernel
300s
Max time network
202s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4976 wrote to memory of 4136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4976 wrote to memory of 4136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 20.42.65.94:443 | tcp |