Malware Analysis Report

2024-11-30 15:47

Sample ID 241122-el73xaznbl
Target Mercurial.Grabber.v1.03.rar
SHA256 3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
Tags
mercurialgrabber agilenet defense_evasion discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

Threat Level: Known bad

The file Mercurial.Grabber.v1.03.rar was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber agilenet defense_evasion discovery spyware stealer

Mercurial Grabber Stealer

Mercurialgrabber family

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Subvert Trust Controls: Mark-of-the-Web Bypass

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

NTFS ADS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 04:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 04:02

Reported

2024-11-22 04:08

Platform

win11-20241007-en

Max time kernel

212s

Max time network

279s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 04:02

Reported

2024-11-22 04:14

Platform

win11-20241007-en

Max time kernel

701s

Max time network

704s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New folder\Astral.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\NodeSlot = "9" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0 = 5000310000000000475985601000372d5a6970003c0009000400efbe47598560475985602e000000d69e0200000004000000000000000000000000000000e52d520037002d005a0069007000000014000000 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\NodeSlot = "8" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Applications\7zFM.exe\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Mercurial.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Astral.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3056 wrote to memory of 3380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbc193cb8,0x7fffbc193cc8,0x7fffbc193cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6016 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1044.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D0332BBF6C542CCA1F325DD60CC69B4.TMP"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"

C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,764662587749405661,16056874670189556217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87EB.tmp" "c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSCE697E9545DE44D7E974EC4AC422D4846.TMP"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amkhmin4\amkhmin4.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2331.tmp" "c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSC52A4F268BF93462082EAEB7C1C831AE.TMP"

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

C:\Users\Admin\Desktop\New folder\Mercurial.exe

"C:\Users\Admin\Desktop\New folder\Mercurial.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilzydkvc\ilzydkvc.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EA5.tmp" "c:\Users\Admin\Desktop\New folder\CSC4495BD147024473FAACBD3E696C2954A.TMP"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

C:\Users\Admin\Desktop\New folder\Astral.exe

"C:\Users\Admin\Desktop\New folder\Astral.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 2.21.134.74:443 r.bing.com tcp
N/A 224.0.0.251:5353 udp
US 104.18.19.73:80 hastebin.com tcp
US 104.18.19.73:80 hastebin.com tcp
US 104.18.29.213:443 www.toptal.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 64.233.184.155:443 stats.g.doubleclick.net tcp
GB 142.250.179.227:443 www.google.co.uk tcp
US 216.239.32.36:443 region1.analytics.google.com udp
US 104.18.19.73:80 hastebin.com tcp
US 104.18.19.73:443 hastebin.com tcp
US 216.239.32.36:443 region1.analytics.google.com udp
GB 142.250.179.227:443 www.google.co.uk udp
GB 172.217.16.228:443 www.google.com udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
US 162.159.135.232:443 discord.com tcp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 2.21.134.75:443 r.bing.com tcp
US 2.21.134.75:443 r.bing.com tcp
US 2.21.134.74:443 r.bing.com tcp
US 2.21.134.74:443 r.bing.com tcp
US 2.21.134.75:443 r.bing.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 162.159.135.232:443 discord.com tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp

Files

memory/4396-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

memory/4396-1-0x0000000000070000-0x00000000003AA000-memory.dmp

memory/4396-2-0x0000000005400000-0x00000000059A6000-memory.dmp

memory/4396-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

memory/4396-4-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-5-0x0000000004D20000-0x0000000004D2A000-memory.dmp

memory/4396-6-0x0000000004F40000-0x0000000004F5C000-memory.dmp

memory/4396-7-0x0000000004F80000-0x0000000004FA0000-memory.dmp

memory/4396-11-0x0000000005000000-0x000000000506E000-memory.dmp

memory/4396-10-0x0000000004FF0000-0x0000000005004000-memory.dmp

memory/4396-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/4396-8-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

memory/4396-13-0x00000000050C0000-0x00000000050F6000-memory.dmp

memory/4396-15-0x0000000005120000-0x000000000512E000-memory.dmp

memory/4396-14-0x0000000005100000-0x000000000510E000-memory.dmp

memory/4396-12-0x0000000005080000-0x000000000509E000-memory.dmp

memory/4396-16-0x00000000059B0000-0x0000000005AFA000-memory.dmp

memory/4396-17-0x0000000005B00000-0x0000000005C16000-memory.dmp

memory/4396-18-0x00000000053A0000-0x00000000053D0000-memory.dmp

memory/4396-19-0x0000000008310000-0x0000000008318000-memory.dmp

memory/4396-20-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-21-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-22-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-23-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-24-0x00000000751DE000-0x00000000751DF000-memory.dmp

memory/4396-25-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-26-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-27-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-28-0x00000000751D0000-0x0000000075981000-memory.dmp

memory/4396-29-0x00000000751D0000-0x0000000075981000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 76fbe77cbc68f3bd5f0decad25775716
SHA1 2ebc2dea0b2224ea73fb5413d94ad38218122bf3
SHA256 8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6
SHA512 1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e11c77d0fa99af6b1b282a22dcb1cf4a
SHA1 2593a41a6a63143d837700d01aa27b1817d17a4d
SHA256 d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512 c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c0a1774f8079fe496e694f35dfdcf8bc
SHA1 da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256 c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA512 60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

\??\pipe\LOCAL\crashpad_3056_CDZHRICEMSNRZLNQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a55f0652bcad468a3c0a66c1ae3e93c7
SHA1 b01a1b9146c8b97b49511e295e900edf56c94277
SHA256 9684ef89f0b18dcc0d5fb8af9d73d7ef0cc6ada1e3510ad97b9dfed40563e9a9
SHA512 fefd903b172069e262846bc967d9e6e865d31505fc3ac2654a855ca6fa66ebf8af97607e7c6f168c9c0b777498bf31fb875de0bf6dda7017634f108bf99f8227

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 31bf12684f114e122b2f61b45fc01bd9
SHA1 f923f6f3a000f1592017f8eea492fe96156c8454
SHA256 02189a8414e861b5a328d8e1a2ffb4f991f4eae2db4e5d8a9a3e36c8477ba7bb
SHA512 a0ece6265f3711bd586f6916247cd0c283e202c21419e51039af1b5512127aa7009b15a6de58a392a35a1f5b6b47f73e09166381b43ad689b14718aa291af31e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e47f724f5de462bed937a1d0aca11352
SHA1 7c4d71c21711bffacd465b069a3291d07728522c
SHA256 f4026098a9a75fadb827dfbbd5ae2495ed7df2b6c4375ab0b29db44f308cd0e8
SHA512 da39cda6bc3b6e362a0635f4eb95a1d4f64050efeea2c532247c641384101ede705df41d7cc9bd0eb6fd3c858b68a5c8cb2ef4767c1c9f4f585f06207d6b6016

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 80f861dbda25db94b77c3ff5c7490be5
SHA1 1e8f08211d67f6a381d433cf276fa0eac403fb77
SHA256 c0197653daf3b653e627012780e0b3ff1962ab8da38ec41801400452985130bc
SHA512 597adfd97a5d8c9921a3e34af7c81e8e3ae5351ff7fac224d49bcd8e621a6b498845172ada3a373b2b5daa78c56b92e4cb319aabe15b7de34268d24de12e8a05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2d84211262bd6d786eff4e6ffa6f0256
SHA1 b529dee28d3885da199229c468a84fcffb8388ef
SHA256 91b04b7d63186f11d057e88d045c841d314832e6b1bbeeb148ed30d94f2ff1a0
SHA512 f179496021c39f83c6a2e0ac85f211d3bb0171e8015041c23ca1c851a86d9cc3008781188c81ddbe307f0996b584c4620edd1e0ab2345bf02c1d172642fe25c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 a78cd431b52e9a63c85d1303107d7815
SHA1 57c0aa07a2b8fabba69c971e8f6b18066e4fc3ef
SHA256 c8e1322f1e09e0532a2fc208ffb3942989b30f96cc5504f20546a465a872efa5
SHA512 6b63be48e2a8c724c8196a817bd3dd26a6d0e7279df39435e9ef0c60cd73b25628f2ee31a679224a56b4fbbc894af4d05002ed64f5df6cf29575fc1f0e8a69d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ae4b4.TMP

MD5 91c0cc0fdbe962302228015883b38c21
SHA1 60b1faf34a2810038368261cb240785af77b7072
SHA256 ff71f4461766ddd82e380da14f5fd288aebf0eb8881502fa941c8052aa1da54c
SHA512 bbaf5bc9e027289d3512e71ec0908ce9684e8f5c04d745fb9a341f18e8aa6577ecf150bd1a53f0b4b37a5bfb849425956f53462814aff1ed882efb9063d96811

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 243255cf0766a4ad1c69ff9920b5257f
SHA1 56bf3572c67a32a82bf5bac44c3c4a9978fdd30e
SHA256 864855fb0d3fa2db063e2aa181de1a24209b98adfc1f85c117195e6c4b14e547
SHA512 d79f08e476ed92909f358acd09ded5187811c5b162555e1e6f1038bbe4ca5bdfcec71983483dad53cb6051bd61f8b2399ea1100cd28b881f02da9482eab3c788

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 194135cc23ac920d1518f7410520abb3
SHA1 1b2b357e097f397e8de628089d999f0c05b4a8d4
SHA256 3dade5c083d257c09b25001992d1f89a587de961e16220fd0a36a4b634e0683b
SHA512 7d6b34c3ea2c569224e80c4a26f9157facc9cc5fb365b34c190aaa7e3b5b03de1eafcd78b3a8045f37e2d930da09d21b9151ed836653d1df4600e1b2ed327d6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ba4d8.TMP

MD5 29bc097bb4c00ccc745ec8e014b17243
SHA1 829a0ba5b1bad2d049e55b814b5905c35df77427
SHA256 88ebef4797dd9beee61ea722715db2223dd0547dea1b7e42f3241656ceee0e84
SHA512 45d3c2543a7b692745180f3a232f6e2e6db2886b5f29c2e2ff5b9c24c5df1e539fdfe19ea4ac94ab946f90754bea9cda4288a408c203c28136d527c65af0c432

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 df091b50e95d1b864ac70d7e652ed0de
SHA1 50ab10065f5f2a74f5f6be75bd614fb2b6f061ae
SHA256 2a2ea547b24a8ea66a5d2aa2229087ba6da19d6e717460907370ce64192919de
SHA512 d9388a22e655a8033b0f2cf69ecaecbf9768780c776ab2ce6156315889d83921e9c2f8944ed19eab102ec88b6592e6bbfeebaedaaad43bb3dd95f0f187513400

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 554854b01f1edd48b1d067fc3184d69f
SHA1 235899a233b55dd9ad2d73875cbb5c8b2dd3b798
SHA256 cdc01c42e9e0a64dc87da8cbbcdb0379113561c595a46c89b7b2359c6ebb23ef
SHA512 4a9b9a667fd6037b45d432db339d39461b7b0208a5834d6bcce7aa295a1d51a08ac224bad1e023d5f896b9cacb9f72ee354a46ad5fe2c70357383af1e61edf76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 7b32c8c0e00640bf5c5b8c56ebb03b79
SHA1 a769a2618d51bf73d40921090f3666c5f5694be2
SHA256 88fb6127814deef02ac4c71c786846869d756fd02741d807b7a80f4c12fa76de
SHA512 6c4f302626c456081ca0a05b53911183fcca158b9c724ee3047578bbf81caa858ac3c721f547da2bc08a2ae010ec07bcd671b3139e92774c908d3143836fbdf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b369b5f87db14a498fd70033062f1d61
SHA1 6ba81effc7e53063b1254d0241dcbbdb1a87f736
SHA256 8da7a4fe8fc21e303da9ff553e26a2214faaf3821a7702d50411bf3a5586b354
SHA512 56fbbccd8e30c71dd81bace9dd38eb825493181f396ce85ab6f664f33a821343632b7865ad63d01ac3ab5a54b99e65e2298993a32fb5012d2782e1b153477af7

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.cmdline

MD5 696de897f7a0ee72e096007bccf0c83b
SHA1 2e4a19973d93e577f7dfa7007565e2029e5cdf6a
SHA256 a3267b162f65db6e270fd4a08db25e0031beb827b3867bbc3a1e0cc9d6ed9bb0
SHA512 c05b2f4b577cb894987a45c6ee073d12936b400f56e63218af219afb945c96bf8ded6e85177220b34b6881e8ce1a3ac77aea1a287313623fab04d266fc841133

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.0.cs

MD5 de9c8e308ea1c808defc4d56d6b0a935
SHA1 3a127dc7690d35dd7c71137c5176da7004ca32eb
SHA256 34713e637fb653d19e7b650499cb9c524fba3c7d92e5c8b2ef4e449f80b8b945
SHA512 0df465061f84b860cf1a6fbeaf8a26728f95389ecd2e6daab372843fbf85f43d97a7e2e81e57e433adc4448f3218236c36bc7bdebe837bb6a36a9b3b7c934ea3

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.9.cs

MD5 380d15f61b0e775054eefdce7279510d
SHA1 47285dc55dafd082edd1851eea8edc2f7a1d0157
SHA256 bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717
SHA512 d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.8.cs

MD5 7ae06a071e39d392c21f8395ef5a9261
SHA1 007e618097c9a099c9f5c3129e5bbf1fc7deb930
SHA256 00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718
SHA512 5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.7.cs

MD5 05206d577ce19c1ef8d9341b93cd5520
SHA1 1ee5c862592045912eb45f9d94376f47b5410d3d
SHA256 e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877
SHA512 4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.6.cs

MD5 8ec0f0e49ffe092345673ab4d9f45641
SHA1 401bd9e2894e9098504f7cc8f8d52f86c3ebe495
SHA256 93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac
SHA512 60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.5.cs

MD5 42f157ad8e79e06a142791d6e98e0365
SHA1 a05e8946e04907af3f631a7de1537d7c1bb34443
SHA256 e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed
SHA512 e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.4.cs

MD5 fae5458a5b3cee952e25d44d6eb9db85
SHA1 060d40137e9cce9f40adbb3b3763d1f020601e42
SHA256 240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06
SHA512 25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.3.cs

MD5 6ba707982ee7e5f0ae55ce3fa5ccad17
SHA1 d094c98491058ed49861ce82701abe1f38385f18
SHA256 19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797
SHA512 d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.2.cs

MD5 6fdae9afc1f8e77e882f1ba6b5859a4e
SHA1 33eb96f75ffe9a1c4f94388e7465b997320265a5
SHA256 a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d
SHA512 97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

\??\c:\Users\Admin\AppData\Local\Temp\w4glaczu\w4glaczu.1.cs

MD5 8aab1997664a604aca551b20202bfd14
SHA1 279cf8f218069cbf4351518ad6df9a783ca34bc5
SHA256 029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f
SHA512 cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

C:\Users\Admin\AppData\Local\Temp\RES1044.tmp

MD5 0a346c79ee4c5c992c802e98b202de11
SHA1 4f148850e8d83da6b8bdbfabb0a28eb48114ce91
SHA256 963cb76ae90cab4bf891000f862c7c3074ad140afe69124fcd9a60f62549a72e
SHA512 e750725f01dcab4836442478b8ca2a0dfd1b54e472d32b0c65c44b0bfe974ab4a0b5177451da2648f8e64d582b6819bb09c3ccf76e5d5e6d3984410c466b4c38

\??\c:\Users\Admin\AppData\Local\Temp\CSC5D0332BBF6C542CCA1F325DD60CC69B4.TMP

MD5 f6fafa0f9c28b0ea4b7c60e5038d6083
SHA1 a830e9340a199b730039a5160f30154a86f7dd98
SHA256 abc6f3961527fc33e6c06ec9472ec98e3af78bf0afd42bd5bbc444eb2f80a761
SHA512 d739eb14ff6cc590f54f1f8263fa66b557b3198f0a645b6d584dcef2be7aa357d036cdde2d0649126a782269a489109e77eb68ac31d30aa055d7970af6de5acd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 bdd9718fa197ea63c48dc754db3c6345
SHA1 cf7ed7f3b46d5304c9800f74cb0aaa1c43f94660
SHA256 7b3419a933ff1322fa2d411315c8427633c684008c4ee5a985600396776def62
SHA512 e44507e8042b3026ccfa71f6b599fe0a7824d28ac6995ed99e164c6105dc4268951f69c9c210634f8b2468ebd96e85b67df415e938f41a72b27ec84ebd0da9d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 79ed281ad51009f196de988de419a613
SHA1 140cdddebd948cbd6a50c7b37e4cb0a767822079
SHA256 59c0292ea64646a157327c86d598d969477d0cd6064dab8ad48345ed0d4c8531
SHA512 d43106b82fd2ed5d54179b61db86066b013771ef4dc891b3fad48c212622b8629bcbe2c805dbadf74c13b541fd14e19c94393de5a48452803e5344bfd1aba365

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a0db3c5f68550b5e4d0608248f9af0af
SHA1 6176a2f4ca63efe20db87e809a3b28e064977d35
SHA256 31d9083cb29c4d5f50413568c46e695670b90a732051eb0cc7ba903b340378af
SHA512 bb1d95c87cd50d756654fd2aa43b5a6db24cf41890237b3520f3baebd4e9e64dde61b79c67980ab69ca15854c5f318c401d7075d74320afc4817ddf195363936

memory/4396-411-0x00000000751D0000-0x0000000075981000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 98ed102a6426539e8db3f39604567d61
SHA1 32f9a4edc1f682af3be474fbd06cad0d8fa04226
SHA256 8489947d7edfb52515dcaaa44c6e25777973986bf209ddaa2128035b85a0d81e
SHA512 2b16a09fd62929ab91ce032272dd2a4c0153f38e2d571bc463f6cabe95ae9708735399f5b9c7fbc7a9faa0bc670071e35be968a4ed0471c0573985b98e783084

C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar

MD5 635903bad1ada856d701f34d3070ccd9
SHA1 3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0
SHA256 3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
SHA512 fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015

C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier

MD5 3f88889b5f62c0d08592c16aa3ec30ee
SHA1 51942ae8526ec69e1fc0f73ccd36c43545206963
SHA256 404a84d490d5ded875ca498cb64a3f50b7acbd95a89e80efba71206cf8603224
SHA512 de009167642df3f8ba2dca605c93cc3831957ee67c93ec380df9cebc14d89a42123281ea9d8b81ffa8cd80ac5a75e00e4dd1221a658431166229e7e685b0059c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fc5a60c3b9faae9629c2899914091f36
SHA1 eefad8fbf067e359db40984673223e515ff9274a
SHA256 c68024189c5f0a3ac2457cbaa2094e0a92b90cb4dbed56358e6a7b140171d949
SHA512 9da32e849a22e19923f66290d5236d163d664e52633979aea4ef813294613d9d8b12a6db754d072f649746d9a854396348f7cbcaf76168412cf15ef0db5e0f68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 126d1b42c007fdf850faa034f73ee0a3
SHA1 c61b4f7591a5c422830734e253bfcfe8c8b342be
SHA256 169d63ecd47896d1e585e20129c7d93425575ac942ee37b19b2cca1539f2dd85
SHA512 fc6b4a1ece2953ec6e5fd200ed30b38cf96e4a3102ac4fa6a7c57b4ce0638e34de46a05679d3bb0b609d11fa6556dd75d95a6e254155cbffb9e6b0880edc8570

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 184a19f1e81cfa675fbd2bb2e77eecdf
SHA1 352d1cb5fb15c57db71101ab10ca2b513ceddea9
SHA256 f168433445fff683ff80445ed14a9528a23457e4dba635b1748d81d56fb8e11c
SHA512 c0dbba94a8585ace80cd80bfba303c3dbcf8ec7c9ab5d8a89893806c84f198be39ee5297c560a29911f1627b787cbe42e16bc4c3308aa09e167f915461046570

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 56282b9ac5bf03795d959e000d03981c
SHA1 0e0e159cf0184ada9d033edafb4b04d58fed606f
SHA256 9d79b564f0f02e789ee5684dd1427093947c979942f27b5bc91171febced80cc
SHA512 417019812af8781f013559ab03c6a2b59f0e04ad1ddd48ccd629ee3969ecce9eeeeb7711d5e70def0bd0b33bbc4eb4f081f96e7c5d5fa3463d48a9c4832e08ae

C:\Users\Admin\AppData\Local\Temp\7zOC46345ED\Mercurial.exe

MD5 a9477b3e21018b96fc5d2264d4016e65
SHA1 493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256 890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA512 66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mercurial.exe.log

MD5 2cd056bf2cb201147013842c7e70bd08
SHA1 f01f285a3c8121db0bd64d58055838afbd8f44bd
SHA256 c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188
SHA512 2b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f877003c5f10c8e14a5b95e3b5602116
SHA1 efcc102a59569230997bfbc4a9ad789c20e6b9fc
SHA256 ad7bf8bfe5906d19d32139ff91a020f01d7032e34485275d0b388641afe87285
SHA512 a07a986263459ce14dee7567a730732bfcdca700689736cd6c0253f895542ef77f66c38698fb52692e8441304ff06f8ceccb45e54b88c8a4902d40edcb9bcf86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ca8348684dd0855dd936c7153f915ece
SHA1 0e1389574ce1f97fd0288b8dff4dbaba62aea840
SHA256 74338d331c0f31e55a66af2453f079dbeb3e168e7342e3ba10ecc16b892049e2
SHA512 5d1c1539c7cefab31af75fa72396381b47d2914d0ae0d990935313f986fc21af3baf3e301318a7cbe5482a05f17822ac087ad3ae96a2a7ce691cbc51179030db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4900d20ef84f1beb267dbbd9702f784c
SHA1 3aa9fd606f95102ace59ec0d04074f81018096d7
SHA256 5b8eb22c0d0d5f5f06756da40b7a542efb4aa9b642b2c869996d37548d7eb77a
SHA512 14a9d89361c62055af3160d3e33be62500648712cffa58d756de114dd538d2f1d06196fe397662697fce8cffbe05469bb7d7cf7df7022555807e82d5a3a0a0f6

\??\c:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.cmdline

MD5 504d6ed39c57102e32f99335f371ecd5
SHA1 b33a9f64b67447ab495445d9671c5007833d903e
SHA256 22042dcb82c7fa2eebeecb8c4878d6d32a0358ff4b1204dad4bb63332a35268e
SHA512 bf18f5743d1565f71616c8e7a79fbbf56998e368738a21aef7db7cfc99cbf13a90004f5efb1936781dd5ecbf33a16b3b9db987722a47e0d6aa38fbea3f056ea2

\??\c:\Users\Admin\AppData\Local\Temp\bafo5vb1\bafo5vb1.0.cs

MD5 a692910eb2bf815176694dd95debf741
SHA1 8857cc254b760c602606aa13d4ed32f744a45910
SHA256 5cdafdde20039dcfaefe53c0240e4c76602dc9b4282cc085aaa969a8bd40763d
SHA512 79749d0c6b4c793cc24e633c8b7230d30887129b5fb9778b1aa16ee049a552cdf82250ad359a5b908e58ffd3c1f16d8c6f5c1d28bf62bc0d6404a10e24c15507

\??\c:\Users\Admin\AppData\Local\Temp\7zOC46345ED\CSCE697E9545DE44D7E974EC4AC422D4846.TMP

MD5 1281da0b392165aed62b790a68759e75
SHA1 bd457547a4852ab49799fbc53a94a7fe5a265e2e
SHA256 62dedba620928fed42856adfc6ee6091f0158ea10c4f31ef92e24f5d4e6d29ae
SHA512 6bba0ff1a45edeeb8baa00d7d9b980cc218c66000f95cbaac7e55de6c01439f6b50e4bb01d4d1c6198784f08878aef7ae73bdb21df8b71921af2a45d364bf624

C:\Users\Admin\AppData\Local\Temp\RES87EB.tmp

MD5 4ba55d80cd716315b4dca54135febdb6
SHA1 87f0661d264e0abd9b338a7211437879ef96bfba
SHA256 1ce8a14c3f0a5785239838bf8c3816daa521ac98f9bc2eca27b568ef4f407a35
SHA512 b30948fbf2960755f9a23eeea9ba02a48c21d81c932f4288239b142b33d3727dfb4ccc6ae9ba891ea2ef6dbea30d312bf7d0c6d34542513ff237ba3fb1a2cc0f

C:\Users\Admin\AppData\Local\Temp\7zOC467A29E\readme.txt

MD5 77976ab4f7b14569dd64f212ce6ee64e
SHA1 f442ef7a74ac6922628bc8ba03ea08e62f83253e
SHA256 044b863e9895e669d45d97d44a4f80f2b9ac5f941635ef3c1e9f39ad12747ecf
SHA512 52d4b884b2462449576fe9dac654de500985b53d0262472d88a1bc659b3a5ffe0ed5f0581c50ef006c3b3d7dbf816a80d21e6b6f4c03b595bb108a4360a60723

\??\c:\Users\Admin\AppData\Local\Temp\amkhmin4\amkhmin4.cmdline

MD5 fba0bbe0ab690795f3ecb225d160917b
SHA1 61fc5246b542817e2808ace638560951ec937ff8
SHA256 043247fe34b547785184b9a80fa81d0c8853ece3b1a4dbcd2cd08aa5702b71eb
SHA512 4b39488041f1cd3573a24b6c741565965b801441e1d610abbd81b966deceec1d3e8310f3a1e7436d9afc3fd88b9bf8077ae88ded8d26c3be998b5c7eeb9456ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8e538514ac5ff66a752bfde297493522
SHA1 41932ed5b667c68b48469df6c665d20f953144f3
SHA256 6487648700f34961644ff81e4101b3f21ed0867739690b3e179dae31edc9df93
SHA512 36a6984624bb9cda50ef6e8126b02a20f396c4047f2c2f8db17aafc6babb700499011d787b4f2994da88cc6665e3e27a4f6fb8a42b006fbb3060612b4e3faf1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9ad14a206a3a46f235a7c9d3504c8eee
SHA1 f0c847c80353a059a99d39396303e1b58f10099b
SHA256 54f1fe770ae2dbc11df94a39152fb51dbb691fdc57c326b1d901257536bc609a
SHA512 26cdd133d155c899b946af571c1384b4f8758f752255e9259d920ae7fa6243128e3cc7671561be0858f6ca6a5cffa435a9dd53460221b79138a5acdb2e053d50

memory/4072-868-0x0000000000160000-0x0000000000170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\login.db

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 04:02

Reported

2024-11-22 04:08

Platform

win11-20241007-en

Max time kernel

300s

Max time network

202s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4976 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 20.42.65.94:443 tcp

Files

N/A