asyncrat | hxxp://www[.]mediafire[.]com/file/ao60hn9f3n32htu/MecurialGrabber[.]rar/file

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mediafire.com/file/ao60hn9f3n32htu/MecurialGrabber.rar/file

Score

10^/10

asyncrat default defense_evasion discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Default

101.99.91.31:3982

Mutex

ygjnwrxtrp

Attributes

delay
1
install
false

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Enumerates VirtualBox registry keys 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	MecurialGrabber.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 4 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	MecurialGrabber.exe

Looks for VMWare services registry key. 1 TTPs 8 IoCs

defense_evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	MecurialGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	MecurialGrabber.exe

Executes dropped EXE 4 IoCs

pid	Process
4372	MecurialGrabber.exe
984	MecurialGrabber.exe
3056	MecurialGrabber.exe
2708	MecurialGrabber.exe

Loads dropped DLL 8 IoCs

pid	Process
4372	MecurialGrabber.exe
4372	MecurialGrabber.exe
984	MecurialGrabber.exe
984	MecurialGrabber.exe
3056	MecurialGrabber.exe
3056	MecurialGrabber.exe
2708	MecurialGrabber.exe
2708	MecurialGrabber.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MecurialGrabber = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\MecurialGrabber.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MecurialGrabber = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\MecurialGrabber.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MecurialGrabber = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\MecurialGrabber.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MecurialGrabber = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\MecurialGrabber.exe\""	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 1060	4372	MecurialGrabber.exe	105
PID 984 set thread context of 3308	984	MecurialGrabber.exe	113
PID 3056 set thread context of 4748	3056	MecurialGrabber.exe	120
PID 2708 set thread context of 232	2708	MecurialGrabber.exe	127

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python311.dll	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python39.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python39.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\LICENSE.txt	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libcrypto-1_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python3.dll	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libcrypto-1_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python311.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libcrypto-1_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\LICENSE.txt	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python311.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\.emsdk_version	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python39.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python311.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python3.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\LICENSE.txt	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\.emsdk_version	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libcrypto-1_1.dll	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\.emsdk_version	MecurialGrabber.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python3.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python39.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\.emsdk_version	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\LICENSE.txt	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140_1.dll	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\.emsdk_version	MecurialGrabber.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\python3.dll	MecurialGrabber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133823860054112686"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MecurialGrabber.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4372	MecurialGrabber.exe
1060	AddInProcess32.exe
1060	AddInProcess32.exe
984	MecurialGrabber.exe
1060	AddInProcess32.exe
3056	MecurialGrabber.exe
2708	MecurialGrabber.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4924	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1060	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3472	4284	chrome.exe	77
PID 4284 wrote to memory of 3472	4284	chrome.exe	77
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 336	4284	chrome.exe	78
PID 4284 wrote to memory of 2800	4284	chrome.exe	79
PID 4284 wrote to memory of 2800	4284	chrome.exe	79
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80
PID 4284 wrote to memory of 256	4284	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.mediafire.com/file/ao60hn9f3n32htu/MecurialGrabber.rar/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2076cc40,0x7fff2076cc4c,0x7fff2076cc58
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1688,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3008,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4080,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4912,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5188,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4772,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4864,i,5164914188793719391,9234146003536712988,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4784

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4924

C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe
"C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4372
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
  2⤵
  PID:1972
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
    3⤵
    PID:1536
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1060

C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe
"C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:984
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
  2⤵
  PID:2216
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
    3⤵
    PID:3680
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308

C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe
"C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3056
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
  2⤵
  PID:4608
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
    3⤵
    PID:4848
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748

C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe
"C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2708
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
  2⤵
  PID:4508
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
    3⤵
    PID:2348
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MecurialGrabber" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\MecurialGrabber.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
11d253b3a6f1f94b363fcb04e607acd2

SHA1
9917081d96e0d89a6c6997cc2d4aad6366ecfcbc

SHA256
20152f2fc1ca7717b9b858435b3658ce0879f28944bf822210e5ac5e148cc7ff

SHA512
101086c8c2805dcb8bb4e2a3c979574fea1cf0268859804c350f05a85945216de51bce90981a11d08c9a7043efee5130ede5c5a376cd86707dcc90c0e4f45334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
113afa01e2a753bf8846358cdd584fe2

SHA1
fa42ef00250fafa0677522bcd87d8e2629c1aa9f

SHA256
34eed0d5cc9fe7a7696e29227fbc97aae6607261a1bfe17b4bdc5fead6b94fcb

SHA512
b139ba2609b32bf806672b715ef85876b5391a3f3339fc6521b7b78b24ab5a1489040a0a53b6caa4eaf80fc9bf56819fcd845b63da462a9f61c80d8d29af091d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
0a85fca4f8193e641558331da0189835

SHA1
6d5479f95c4c69161e5844c235d86c56f58f91ba

SHA256
b6e970ad83eb3281f609f7ed46ab8b3380b3b1ef9068df2b00dbfa98a6d48b25

SHA512
df4302d0511aef2e048641c9bed1b4742528370deab6fbe0abda1b7cf0093c41e60d968a885bc2a0aaf0755ec2618b442a3f7d3069e4ae08b1599b74784dd2b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
2569929b59983f08fba5140d3cb2b53c

SHA1
637688de117a92f602b1838e6d90248b8c07110d

SHA256
dd071f1b14f5426313b0503c1890305be0fb0a761aac9a6a2937f3a1bf135ffc

SHA512
4d8577598238fd953249eb5ec78d049423dfd07da03d0903eb0b224c8d7fcf4f587ef94f0957e03cd608f04f2f2fec6d66a4e9e9a27a3ebfe54d17ecc87c9436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9420653c54f3af1057639307be071676

SHA1
837695e8f224dda7cf4ce193d5cb637e266c3b5f

SHA256
2b9ea6055017b03cec9aaeb132839cf470f3bb710ad170a6f69f96a65ea98f3c

SHA512
54e547e21163b18e161f1e58f9c1b9abe1a52a1be25c270e3979cbbcda12cfc488057eb7c7b646bce86ff06c2411dd965fe25dcb8089ccc9adfcaa5294230cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
b1018d75d4e96209285ad007e210bd38

SHA1
01cd94b35d45dbda3fff9cef08d7ad4f26a4eb33

SHA256
6070e646e33cb5822d1ba5df7df17696e3e50fb0352266aee002cac17f4baaae

SHA512
f08fa5ddc4bfed63d5d03977efb2e3627974b6f5354916c36a2a9d5ad0690820dd8b3c66da989941ef40c7d00eae7d50498c0858a8d95139d4c01247eff3b49e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5be8f6f161915ec258513011296f60c

SHA1
2dc910307cd568f949517fb50f2d589459eeda55

SHA256
ddce4eec2e9e4f5d650e4c2d5d3d98a663f0217642aaa8a68b5386c789db8de8

SHA512
dfa902e87fb8b275728622f205b1d3fb7ec07399bdafed17ddac7072dd2f8b26eeef3b92888cb07baa2d36cfb34112db4b52d2c310bc80ccdb9fccc7b2efd0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef7a66090704ee17bbfcd404642fc4f8

SHA1
240621502e9e498a8783e2aba5ac84d65f3cf6aa

SHA256
8f1efb56200ecb6c0510677c117fd7507f67e54bc769d9692901115b7c61e1ae

SHA512
1e3a8685979c796c9d1ef0631435bf7bc4a98d21ffe50b8387ebdf5468b8fbe115250e0c310cb77477c82e92318619f4cdb620b096b16264af02755b97a718c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f676f82c87e54f56d0729ba501f082bc

SHA1
2c9ff026606d82217feee802dac132f55bb677fe

SHA256
896aeeefbf404cc11402262d61ed2e9d89005e098da7eb8850558981df1017f5

SHA512
95d7398b01471f6b37c27314d600ea78cd02589b801298a5b2995aaccde43ec47c9f3ff397e704ec9e2c601ddf16f389b64d54a720f6298bc85958b8975ad0c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fdef54c6c7ccf0db7eef99f417015bab

SHA1
80a4911a1e792187916ad54c29ea92e7c9a9e48e

SHA256
91e67caaa6ccc17523695fb6f37420e803e158ab56247ae15cee93acf59b53f4

SHA512
742be5c9f596b63558a4a1c25a10244e9a58c6795c74c55f79301cf5fb4621e7a0d80e61f26170c40bc5487424dd25325d09b9879374745adefc2d02fe1f0f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d2516b3b112743deceb7d9051de8b4ab

SHA1
35ab4b7bd6a3ebd881e5bf58c54b362bd3990d90

SHA256
f11c08ff7dc500807b27971664fba2acfc0e37b2a28b461e268d9dada9f9f838

SHA512
d958bd724e21b17299d405054d73fa77bfa470c0d3e668c7a8f98c8544835d7ac73f708dde9cfd20caa14dc62fc91679a0101811cc479fff028987173a2f0deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d917c2b64dfdbe7f2889bbe08933d7c

SHA1
24ebff2a499be9238607110d1dfa56abbad2bfce

SHA256
3d5845074cfb8e8ca1b84078e4b10b11fc320340c8a6a6aad32441f24660b157

SHA512
ad8f6ed5a5dbf19e8e11137d1064c7fe7aa97f90be1f9ee8d9a08f0409c0911e90c77eca7bc6379a9c293b6584e3ce9af87a8c5eb36c9e76c7017d32b9874654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c51bc206787e38770c456171cc856ca6

SHA1
900ae1a313f10b4ec7b1405b1948a6d4b5c9a186

SHA256
3b84525758babe2181e2c181f6888a38d9c60e6cc8197634e32b4ef1b492eae4

SHA512
62198ba5afa9e52fa2ab87639a284deed0c6ba283c85e046cc8d782de39ff0639e9944aafb0763cc18fe17b9133b3cdd135c631d4c0ca457098aa9e2d9ad2bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c9cddd3d6bcab3029a99879f97f21d08

SHA1
c543fe5e9891e4c6c2160737bd8c8afb48470d07

SHA256
6eff42ae32a8be55d5fc7dccc82f7cbb10f9b2c5d97195b355a86e4fe8b5b9a9

SHA512
489e38da28683ab016f0404a0294734e7b536b02ed866508a7c3c421be5396b0f7a59a55ead6d8cd23a491ed985b7edebc4e8cbd5b2f90a6a730d15f9b657af8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b660295f056a7d7cabd59f555eade3cb

SHA1
51af4dae514c266e59f57b4ba4a27d985a6919c8

SHA256
49e70e65f76248bc0fa110e991520ada02310733e550ee4ded6d6969ef134b74

SHA512
9a4e5b6cfdad86b610340e1aafcfaa5f194ac41b526e394a2a07f47db23b612833f27e3146d6ea178478e03271473e10f9c1a0c37541668364d3e2a84ef36e58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ba105d3d3ee9ca176c8542133fbe0a1

SHA1
0eebf08c8197c562629c2a366c4c1b4f32c988d9

SHA256
8683a37c402f10ecaa9554009511d464e307e5ea199e6b5fc1d75ecc4c66f9e6

SHA512
cd08d9e1393e0c6700bd9fb57d4aef8302a0b29d3a2ed31b07ce919286fa8c933eebb4aa54d1ddd56042756707f555f93f7f07e0aacd40f07626df97994660d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
9b265fa3887530d918fea5272a56c568

SHA1
b952d9ac93463857de4d2ce077b19c26a4dc36d7

SHA256
57181b5904b049842b369d0c9364e8cad7936ce5c14d22aacd1922252974dcdc

SHA512
59242c98bcb9597a3f7ef60e8fc5be0e80069f66436e16a841f410eef88f4c34f4d9298a63dde02014f1436eb09abe5b11aa5674f910703d29cf99bd9c57b9ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
6f13c2a093b1001656aad716a46add78

SHA1
7cb0e067b9b986c7ae12174d4654afa5172d610e

SHA256
484ac1694b02b9ada68795de25f8ac5fda5d7686a63d0ef274ac0cf412610654

SHA512
9db5a689ef0500a63472bad9a1eb0bd1ef3dac9d64310940ca75d469d6820c267f97f3ff6d8423f6515808ea00fd2a164c5c923f21406540fe5e71a191a8c18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e321505b-07ff-40f0-86d4-a3ba1d7f4e16.tmp

Filesize
116KB

MD5
f401915d5dcd0e54dcfb17b152105530

SHA1
ed0f8af62adaab978d0316df2277e4d0d9ebb883

SHA256
6d14cdee3b64a24076fd08f45280ad63a4b587d2b7f44c4708824c1955e3cc2b

SHA512
6bae2843f409d181a1f6477411cd8a8dd31be0cf926ec6542d4aa337af563a35ecb6008adc127aa33e549f0cd1a2f81acecd3c6dcb0f73a3d4b9e6fe1c99218d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
942B

MD5
98fe0a1fc7758003711d8e3e1ae5fe6b

SHA1
d40c938ab81688aa66bf2b6e603c607c05941362

SHA256
144c877bf9a52869a04022685a90bda90974aa13796121ef61343147e0d2ba45

SHA512
88aa58a64e2133dbdbda01e94cbe5302acdbd6a73161c7dcd25431d2460b4f884380ad52cbb068eb8e8659948b95117924658d917ac3cc7809004dd01176a382

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC3370CE8\MecurialGrabber\Lib\site-packages\setuptools-49.2.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC3370CE8\MecurialGrabber\Lib\site-packages\setuptools\_vendor\packaging\__init__.py

Filesize
562B

MD5
2eed0787819307cc2e25cf45a4a9b5ad

SHA1
74e5f4a45cf9a2e4e3e1f66456676bc7c49b2fd1

SHA256
e9e9dba795e045f8c18ec23df9b9f4d078c77f94c7db53c330e2a4256f31c3ec

SHA512
3dbe5d38dfbafdae2bd2d0bc621996e3b5b857e714bb2f24264a88d929349255f9332256ce01121b8e19ba9f2ace51d5da9db3898066f43ad2f4975ed2692537

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\.emsdk_version

Filesize
26B

MD5
c78122ee27d44a80cf06ec828f5d4829

SHA1
1afd5c015474831d8515d737830288c48aee613c

SHA256
746b9fd1fa79fa7ed9f2ee50c1f6d15cfcdd96ac3bd295beb1234356b927785f

SHA512
8b634a45d4699c14e9063de09c4908811aab26da375c49b84b396e8720ad720fc342c6292dbd932046382936c6b1632dc20cd5a230f8184249c6c6fdf5b601c1

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\LICENSE.txt

Filesize
31KB

MD5
82ae42c1d0e6bc5c1609e97e2a2e8b24

SHA1
06a19d53ff74acd0687002f8ec24bf74aa9a7de0

SHA256
f830ec5b33c5ce41bf667d7fb4e395c5ee6fe20a108baebc99be565f0ef0907d

SHA512
8be0896d5b88566e5b19ffe2e1fa40eee32f9f5dbdd976be9a3e9c583b05aa64643af83b725a5401e6a9f48a0b2750fa7dd1a9a460a6cb55d36c636f696aadd3

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\MecurialGrabber.exe

Filesize
109KB

MD5
b2380c9d7ff211025be9ac4828117d3d

SHA1
7e02f30c3d1125a1cbdeb640da8e537e87aa6311

SHA256
5fe8cdf2f234f528aa9aa0989b21c3d167050753208be42b94cc6cf1e9a87c00

SHA512
38711cd9bd1f0fb25986bb6a242afc38abce4ad11b92d26dcdc1758a0e4f07ea245621a90154bbd397e72fdb2f68c309132b11cb7d40cec0b1291aaa81eaad9c

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\python3.dll

Filesize
68KB

MD5
a66065b5cb0241283b1d2044db22177b

SHA1
4a6cbae1158f7cde8642f6785d75c277d95f46d0

SHA256
8303d46754d644dab94d4f56dcbc0f1a38156541e0cb394564ac394d11907e8d

SHA512
778d2383489d91752b87bfb4d5e58369344d69576b3b183cc6c3e6dde9ba5fb31e3385647eb8ca89803543e47644b5e5b9684494c614236b1fb65b67b8a12a42

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\python39.dll

Filesize
3.7MB

MD5
4a482ca8e4947719d06a60c30ce4ff76

SHA1
00a8a5c487f3980d3de433f084a71561acc722dc

SHA256
3ba20eb48bfaa4acfe2bf0315601cf9bf4653197f70a009f51bffc2c8124518c

SHA512
07d283d478a8bc96fffe4465f2d3166fe1e2531ec4f4419b7cb9286068fab17932c2da9adf2226e2a4e631085fed4858aacdd67162ffe4c91613383398f3d992

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\vcruntime140.dll

Filesize
101KB

MD5
f06cba1deb2d9197cbee30ee22a4afda

SHA1
9a039d7d51503ea3d91bac09642918eb895b0564

SHA256
6e988e57df4196e95920305e023c771a0029693948e932356d011c58d0729b59

SHA512
11e48ddcf2f12ddadfe1d375be58fee24b1bc42c4e4583712003822892731b94e6a203713a13e2b84c28c4eb72917764c20e4e789e80236ea1f4dec3c2c0d1d7

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\vcruntime140_1.dll

Filesize
45KB

MD5
52d62a746ce3063273b7d6858ace6781

SHA1
f17233cf8fda743f67edbdcdd68741331d60051a

SHA256
7d40936065488eed408958a40f7bb95f048afe25f6dbd7c1ac83235a0d46bda0

SHA512
09ac4cf2ac1c69a71328fab1228b64d27f73e63134f7b1f9396b4abd44477555198fadaee60f69ed1770620a240a8bf30f2f4aa3b88674f8df64e926febcd75f

Download Submit
C:\Users\Admin\Desktop\MecurialGrabber\vcruntime210.dll

Filesize
18KB

MD5
9c0c1d4a9bec97627968ce6e48965122

SHA1
8e7c4ec627ee439638a6f92be75a6a71fa94d6ef

SHA256
c971915996a7ca18e8938bc0c057d3fdf393735f130b7a5846c73c6ec21d728c

SHA512
a87afbe5700cbaa61d462f008add1a20699afae0d1e3e7a79109862dfda63258315c083dccb79b93d21e18e5c29c804b1f939e36b2e26b70cc85a7f949e3020a

Download Submit
C:\Users\Admin\Downloads\MecurialGrabber.rar

Filesize
14.4MB

MD5
50b3300d1f4ba5697e935a46164fbac1

SHA1
5711a30e5d85855013ab5aa69ce7e95bf6b45c29

SHA256
180c1ba2f823d2ac5f3592f8ab813d41d8820ef43ba186392cab91679560a003

SHA512
d37aabfebae43c208918dd20cce394bc0cda8491385b037d7f8a911e203d899ea4e3a1529beeaba48dc25b645eb8d61cb505c48bc00f76efb85285b1144dd547

Download Submit
C:\Users\Admin\Downloads\MecurialGrabber.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/984-3154-0x000002361D350000-0x000002361D360000-memory.dmp

Filesize
64KB

Download
memory/1060-3133-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1060-3150-0x0000000006BD0000-0x0000000006C36000-memory.dmp

Filesize
408KB

Download
memory/1060-3134-0x0000000005F10000-0x00000000064B6000-memory.dmp

Filesize
5.6MB

Download
memory/1060-3149-0x00000000067E0000-0x000000000687C000-memory.dmp

Filesize
624KB

Download
memory/1060-3146-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/1060-3145-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/2708-3207-0x0000021E1D1D0000-0x0000021E1D1E0000-memory.dmp

Filesize
64KB

Download
memory/3056-3180-0x000001FF832D0000-0x000001FF832E0000-memory.dmp

Filesize
64KB

Download
memory/4372-3116-0x000003136B7F0000-0x000003136B800000-memory.dmp

Filesize
64KB

Download