mercurialgrabber | hxxps://github[.]com/NightfallGT/Mercurial-Grabber/releases/tag/v1[.]0

Analysis

max time kernel
1171s
max time network
1199s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0

Score

10^/10

mercurialgrabber agilenet evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1239296125064974418/PUgXB5FXV6rG9VgXFqZRFI0mCViixOJ8UuqFBuJflxFjy8K_1Bnlcsm6oiqDYfXj8zlI

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Hydrogen_Executor_V3.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Hydrogen_Executor_V3.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Hydrogen_Executor_V3.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Hydrogen_Executor_V3.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Hydrogen_Executor_V3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hydrogen_Executor_V3.exe
Executes dropped EXE 2 IoCs

Processes:

Mercurial.exeHydrogen_Executor_V3.exe

pid process

2260 Mercurial.exe
1904 Hydrogen_Executor_V3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Hydrogen_Executor_V3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Hydrogen_Executor_V3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hydrogen_Executor_V3.exe

pid	process
2260	Mercurial.exe
1904	Hydrogen_Executor_V3.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2260-626-0x0000000005260000-0x000000000527C000-memory.dmp	agile_net
behavioral1/memory/2260-627-0x0000000005410000-0x0000000005430000-memory.dmp	agile_net
behavioral1/memory/2260-628-0x0000000005430000-0x0000000005450000-memory.dmp	agile_net
behavioral1/memory/2260-630-0x0000000005480000-0x0000000005494000-memory.dmp	agile_net
behavioral1/memory/2260-629-0x0000000005470000-0x0000000005480000-memory.dmp	agile_net
behavioral1/memory/2260-631-0x00000000054E0000-0x000000000554E000-memory.dmp	agile_net
behavioral1/memory/2260-633-0x0000000005560000-0x0000000005596000-memory.dmp	agile_net
behavioral1/memory/2260-635-0x00000000055C0000-0x00000000055CE000-memory.dmp	agile_net
behavioral1/memory/2260-634-0x00000000055A0000-0x00000000055AE000-memory.dmp	agile_net
behavioral1/memory/2260-632-0x00000000054A0000-0x00000000054BE000-memory.dmp	agile_net
behavioral1/memory/2260-636-0x0000000005E80000-0x0000000005FCA000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

461 discord.com
476 discord.com
3 mediafire.com
247 discord.com
250 discord.com
460 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

457 ip-api.com
455 ip4.seeip.org
456 ip4.seeip.org

flow	ioc
461	discord.com
476	discord.com
3	mediafire.com
247	discord.com
250	discord.com
460	discord.com

flow	ioc
457	ip-api.com
455	ip4.seeip.org
456	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Hydrogen_Executor_V3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Hydrogen_Executor_V3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Hydrogen_Executor_V3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Hydrogen_Executor_V3.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Hydrogen_Executor_V3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Hydrogen_Executor_V3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hydrogen_Executor_V3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Hydrogen_Executor_V3.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Hydrogen_Executor_V3.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hydrogen_Executor_V3.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Hydrogen_Executor_V3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Hydrogen_Executor_V3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Hydrogen_Executor_V3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Hydrogen_Executor_V3.exe

Modifies registry class 64 IoCs

Processes:

msedge.exeMercurial.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2551177587-3778486488-1329702901-1000\{F69E8CB9-576E-444E-8B15-220369C74952}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Mercurial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Mercurial.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	Mercurial.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Mercurial.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Mercurial.exe

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\maxresdefault.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\maxresdefault.ico:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\asd.txt:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1596 NOTEPAD.EXE

pid	process
1596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeMercurial.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
5116	msedge.exe
5116	msedge.exe
2604	msedge.exe
2604	msedge.exe
4956	identity_helper.exe
4956	identity_helper.exe
3800	msedge.exe
3800	msedge.exe
4940	msedge.exe
4940	msedge.exe
4044	msedge.exe
4044	msedge.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
2260	Mercurial.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
3756	msedge.exe
3756	msedge.exe
2516	msedge.exe
2516	msedge.exe
4260	msedge.exe
4260	msedge.exe
2940	msedge.exe
2940	msedge.exe
5860	msedge.exe
5860	msedge.exe
1932	msedge.exe
1932	msedge.exe
5916	msedge.exe
5916	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

msedge.exemsedge.exe

pid process

2940 msedge.exe
1932 msedge.exe

pid	process
2940	msedge.exe
1932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zG.exeMercurial.exeHydrogen_Executor_V3.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	1044	7zG.exe
Token: 35	1044	7zG.exe
Token: SeSecurityPrivilege	1044	7zG.exe
Token: SeSecurityPrivilege	1044	7zG.exe
Token: SeDebugPrivilege	2260	Mercurial.exe
Token: SeDebugPrivilege	1904	Hydrogen_Executor_V3.exe
Token: SeRestorePrivilege	5388	7zG.exe
Token: 35	5388	7zG.exe
Token: SeSecurityPrivilege	5388	7zG.exe
Token: SeSecurityPrivilege	5388	7zG.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe7zG.exe7zG.exe

pid	process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
1044	7zG.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
5388	7zG.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exe

pid	process
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

msedge.exemsedge.exeMercurial.exemsedge.exemsedge.exe

pid process

2516 msedge.exe
2940 msedge.exe
2940 msedge.exe
2940 msedge.exe
2260 Mercurial.exe
1932 msedge.exe
5916 msedge.exe

pid	process
2516	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2260	Mercurial.exe
1932	msedge.exe
5916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2604 wrote to memory of 2744	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2744	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2204	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5116	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5116	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 5036	2604	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1f9e3cb8,0x7fff1f9e3cc8,0x7fff1f9e3cd8
2⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
2⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
2⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3452 /prefetch:8
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5980 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
2⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
2⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6120 /prefetch:8
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
2⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
2⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7108 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
2⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:1
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
2⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7612 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\asd.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
2⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
2⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
2⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
2⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8436 /prefetch:1
2⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:1
2⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8460 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:1
2⤵
PID:276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8856 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8576 /prefetch:1
2⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8980 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:1
2⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
2⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:1
2⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
2⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9448 /prefetch:8
2⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
2⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9676 /prefetch:1
2⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8864 /prefetch:1
2⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9728 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9376 /prefetch:1
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:1
2⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
2⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9372 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9340 /prefetch:1
2⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9144 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9080 /prefetch:1
2⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:1
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10605629475615390967,6813884148153238672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9308 /prefetch:1
2⤵
PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\" -spe -an -ai#7zMap6174:108:7zEvent15437
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1044

C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe
"C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rj3tcv1k\rj3tcv1k.cmdline"
2⤵
PID:5756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE050.tmp" "c:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\CSC9831A1F7AB4E4DB6872873674BA5E8FB.TMP"
3⤵
PID:1148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004F4
1⤵
PID:3232

C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Hydrogen_Executor_V3.exe
"C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Hydrogen_Executor_V3.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap31474:150:7zEvent8214 -tzip -sae -- "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Hydrogen_Executor_V3.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5388

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2113caab-e1de-4c39-8620-10e19cd066e2.tmp
Filesize
1KB

MD5
01233208516d94de5f554988bfb56db6

SHA1
41d017944b440ae376edd282e72f05d0429a3da7

SHA256
eba15645112314093fdd6df6cd1c8f94275082b132a51613159e080a7fdf4e3d

SHA512
c8145b5b3291c3469437bc6acccbf05f9ab9bcd3818d9722461bb42caf8462dbe03016bceab12feb1359af6bf419f956dd14fac801b6a44245926363ce96885d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\46a9e108-74fd-47bf-b999-a486f14e0df0.tmp
Filesize
6KB

MD5
0fa05e3fde3304123325b8784043bf19

SHA1
aaeae4a48724a0d4ebfaa6fdb1bc6c60af37dfc6

SHA256
3bdc63fc03a09e4c35c0e804fb3f56e26fb7f296cce59c9d3098f5a369e2e73a

SHA512
f59d09211bebbf2643116de6a3f44ddf8d8bff63736721cadf169eddb9e3db80918b287ad316f3997d2960479645ee756ecc3c474540914614bb180917347e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
39KB

MD5
3490805f00d3a3e0e91bd165c7bbb40e

SHA1
b8da3e4394bba3c0171cf8cf53d3667946356b9a

SHA256
5592dd532714a81e43ba56f98961f852f09ed2fc9eb8396f6593b6dfe50fe46e

SHA512
3fcf83d58e9c65c8fc65e73a60eb32aca371d41c52674402980114927503670f967b06342c704e1d399338b8c01faa250eebb599bd274f7849bc25f60bdb367e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
1.2MB

MD5
b76a36f694fd69b229872393bd33b65c

SHA1
710ebf0e68bb65f2faa4356abe17f3d164e8b943

SHA256
1942ea4d2f0b066d0bbf102d25490e01e3843a204b2cc3cf2b721a7f7ddb9712

SHA512
8e4172f38b9b32658717de15c38f5b0c4dfcdbeb73424e6ba4f08981c868fdc240eb5776452f0a71395df2d0bc441f3f88ffaead5860fa672d992a94fb868a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
36KB

MD5
6cc40b01e860087cc645643f2979e356

SHA1
781e4ca68dc0f5f4a012fd77ecafa1da9b130314

SHA256
df2590f1ed6c7236490fda461dc43bd0ad04ca6876357d2392a693deacb6c62e

SHA512
a59762b4fdeac6cf5ffddd4531e83cd367d4ac6e77b6c7b9ed0032672cb443c45e944626034503d26acd79fca6f7baec980bcda462ffd4c1fa654aa7dd3446ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047
Filesize
45KB

MD5
30a274cd01b6eeb0b082c918b0697f1e

SHA1
393311bde26b99a4ad935fa55bad1dce7994388b

SHA256
88df0b5a7bc397dbc13a26bb8b3742cc62cd1c9b0dded57da7832416d6f52f42

SHA512
c02c5894dfb5fbf47db7e9eda5e0843c02e667b32e6c6844262dd5ded92dd95cc72830a336450781167bd21fbfad35d8e74943c2817baac1e4ca34eaad317777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a
Filesize
310KB

MD5
b4a7369d6a02f994814b5ea5c9d33981

SHA1
004d626f4068df518b4c87b9c02caef5f8fe137b

SHA256
d9547bde228514778b99a5e229191e3399281e3300d11fb1548b2986b582fabf

SHA512
c7013948f2f9fe13ec24b899aa6d4a1dc9861bca1000ba310363761f33b8237ae2d8c7cde16950acba05f4aea73a07a8cae3f6ed6f577dfb8d6cff13197b3722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064
Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000080
Filesize
64KB

MD5
475b50689dfe5ac600b3de04ace088ea

SHA1
fbb328c285b985d98e436e1a2025dc2ef814f08d

SHA256
bb3580399452f7fc44aa591302242cc83e1a1c5daad646fcc2d1d3e81b9b7bc1

SHA512
55bef283c23fe00a25ab86c8e62df455236bb4a114d72da8986d0ab51b46567f195d35f94de1e133ae61e95d121de99938aa02e80abfd38c3c841fde9214c381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\06450eb6a7b09545_0
Filesize
2KB

MD5
e19f5dba75df4d3f5c6e20592c0c0ee4

SHA1
ffedb3eba136428b580b9e4f474fc06f01dae10d

SHA256
d7fc5b64607e97b8da232fa781966f6016beb40a03822a417c41645cec97b96c

SHA512
53964c66694b14aa7f6a2b12d5281739019a1ad13731c7014b22f22a92c7fcb0002ce6a709bdf0f1b3447fea91a8901265895842f537cb4550caa40d5e219010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\06911b1e3be86d03_0
Filesize
21KB

MD5
15633a2001f0796099c56324dfd535b5

SHA1
3887fd1f3bb451e870ad2baada44d2e9f28d39de

SHA256
f71159ee74e63623c1f0092bde9075074a83c03c5c29c7613a873783c36e8507

SHA512
629fd29344595761ca8bf4c19debea6abb8c02b1b947e21a0f15518ed0893302bb585e61d9dadfe69f2dcbe430c8cfae5c3e9720e206712a9af456e23f11a31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0
Filesize
1KB

MD5
a17fa2303684f2d6a703b88baf0d5747

SHA1
8dbeeaf2e161fa4f166ef71cd296a5f98594f683

SHA256
98e42ec6e5081f1b2fe597d4d23d3580d8137269c7e5fc85198f4b48fa80906d

SHA512
a460f7759d1ecd83ae17ed65a4b6e98773e7f6d7a62413ad045e93eb5561c089ece8164d4eee6cbc19331ab6558c9ba7dad4b202c3b9874278c55c174894d163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\295f5e2112efe00a_0
Filesize
10KB

MD5
11a3d90c096d70c882072dc7058c9b0e

SHA1
f7d64666f7211d4cf5cf7e348169458703853dc0

SHA256
1003e2397002c8e442913901095561b95b5d2d34862b47cd426b84c70d81a847

SHA512
40ab4f6a68caa6c48ebf2e90146e38a8d8097cfef4c8449bef7cd683391ad4c48345ad6b6d6b1a7f2c40be6d23c4bd055321f3b5481b84291aae23f0bb0045b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0
Filesize
1KB

MD5
4080aa7698dc199988a868a6c3a09467

SHA1
0c599397bdc22e3b7127c68ff7e77f0527a362fe

SHA256
0ffe9dd6daab3a99460087cbb1fe8914c16b91e2ff6c65057ece291f8e0828a2

SHA512
a3ad3d044835f3b5345ec331856c19b018fc3fffc9a81acaaae1142031e80ee3ab1f03fa6fa52cbe81d1f8dc4cdb69e24469ea247863cba0f1dc81b05b97df09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0
Filesize
3KB

MD5
112062327405e3b5a5887bf1846a9989

SHA1
450556fc977f18121bc21d7e5055e0e43a4db8b8

SHA256
6d07d726ae7b672861f769e4ae5246af8f7629c9cf6cec131861e092fe8cc9ef

SHA512
ac78d4014149e0e5b7d591bc600181945de97d941e8ac696185a197204a698c12abee4bc7cc500921ede294d077cfddcfc725254307dd3d14cfa881d9d0cd7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\695c42f61090a800_0
Filesize
7KB

MD5
a6e86adeb1cc1c615463c8e45261136a

SHA1
d9a0ab97fe7985b69117e918ac9c8aad3bee993d

SHA256
ec8af032bf5819a41587bf8350fe7531399e0bf1d9f7d396c1fb149b296c920f

SHA512
6620f8ef33bf784b41b3d9ba38238a39536bf964d8eb254345be0ab9e64340a8c2131f93a8689dc2a8caece9a9394e1ffe75eb1e8487f50bd0698748405eef5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71da22abe269277d_0
Filesize
4KB

MD5
643be36c162e140b1065238df37fc174

SHA1
b8de4df27cbe695898b5a9d59cb83922451cb926

SHA256
740f0c2e71cb5b26486e87688a781243525f573a9c1216d09eb17a3ea5fb80ca

SHA512
a205381d6c24b34f1f9e69dc8c744d386e66421498aa50f32198b850575895deecf1eb2f8fa1f3af0782e62477829713b86b070caf1df241cb0d07f47175d2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0
Filesize
2KB

MD5
a0e1fe5bfd46bfb27b9d4a2eb0337d36

SHA1
b8b208021b952f7c45e9c1909b54a2e16fce8ddf

SHA256
95a50bba3eb200a67a5e16f9995df62e9e66f85d0acae33f9f63ebb65363cd5b

SHA512
b2cf725fedf5d83c45cfaa6d36ba71e3a501bb913420b0d1fe53f7c377a75f35e59f19572cf89a55c01720b2a227ddd3d9840e987ac9709b2426eb631e70798b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7f05d59e6df9a390_0
Filesize
35KB

MD5
c29fe8589e7f5f90b7477f10e72fef0b

SHA1
8dfb716478d59e7fc95e1bc72422b2c06541afb2

SHA256
3f192930797132b31da963469a0bdf72204822e78eda8d10ed0abc925d1ac023

SHA512
4069dbfd88b6bdd91166f3fb41aea3252d87216fd56da5115441cf1bbdd813ef5f0ed3ba33610867b3cff7caecb782aa80543134ae7d450a8e3b8043569bed99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8f8d1618f73adfda_0
Filesize
10KB

MD5
19ac96d8f8d29c646f7bd43f4949fb91

SHA1
bc102c12718c618eea9990d1e489f47b3013c13e

SHA256
351b088f40b4e2211f7606da59a3da24ccf23868d71fbfcdb2bd1cff8d7c0540

SHA512
72a17558d921675a1a103a3779284e77fc18bbf576a4cf9fc1fe7eac16821c3b53f34d18d276425eb37dabae736052115860e4398d0dcee9b53f87088607d6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0
Filesize
2KB

MD5
e65670fcdd9f7c0f24b1bcecac8bde80

SHA1
3fd65add35a59a7822ee7973cdcfd62c2a404e48

SHA256
91751704453d04daf8d53fb89238090c10b9fd5e960b1e4c31e4eaae537d2476

SHA512
726da16a000df9ea95f1bd3c6570c4f14b025b0798ad08216bfd95b1d8f6c7242361f039b01a79709fb2394d60a369b1c20b8c7e2327f439a52da40d4a210b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\94ebe1630900d094_0
Filesize
21KB

MD5
d53231e574d1a54ef2e91d269fbbf480

SHA1
ba4b4b85596af47fbc030859eaad9ef056f13a01

SHA256
5b04203fbeef9ae2059f7b91f41863da6990b107504153e24aea02a93318aed2

SHA512
725b7499f02ead0755808674504f898d81a93e9d0639e2b43f7dda27e5479d976c4a12d92335660fd91969826eff2b47f079978a03910c7eee70123a8c7ed333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\af2cfcaf6d9b18bc_0
Filesize
2KB

MD5
17ed4fe2705b14ca5692b5e8a7a77c9c

SHA1
28cbe1cdecaeff10760230113199ae30935bd91c

SHA256
2fb9038c7a0c989c5e1b705916017bdcfe4c72473ea468ea9d38028e43c6b761

SHA512
05ad12fdbd50572c6f3f3cedae746f2eba7aeecf3e398f927284578ae0e1b915952772e013488f95a6dbe69fbe691e7351ee86443050ec3213e8d589ccfb0802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b945c26106f43e65_0
Filesize
291KB

MD5
df97d254980bb4f2ce240f3653f61617

SHA1
b4e79c3a18374948ced937f49aee67872dbc2a65

SHA256
c723c01c4fc936fcd2e7eb9d55164a66971dfee7e96ecdba6cde0573bffa8b31

SHA512
b1cbe66c069028fe28d26d1888dd14d582ba565328a7a7de187fe9530d2f7ff3d06cd40ddd4980b5697137b491c9d9cb10c5fb33417f18225617a8c2c3bbf3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d7a29efad91a1117_0
Filesize
262B

MD5
1bc6316463814ad0b553b5ca366b0a9b

SHA1
90d9a666190eaaa21d093776d3449b2ab96bb2a5

SHA256
30bb5e579b819898fb531330c3f0aca8e624ad6d6318d74b82a129f9eb38c105

SHA512
a587328b45498365fc763f8078c5685d56ec457ca5db634cd6b1e4a21fcd08e52b196355a85f575bbbb5f4897b2e231228b15b8cb0a16680499fcca4bad74f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e55f0a6d1b533c66_0
Filesize
2KB

MD5
07371ed0f6aaebe13e5d969cc4800232

SHA1
bee24d5aa08166c4fe08aa3ff86e20a4d15a45b1

SHA256
cb9ec71aa43a6f3846a860c57918d594de622ba08301b4211b3fa1e60f5453ff

SHA512
a971df6a8f5342136b280fc6f8c51e1bfeefabc0ee6c11854ebce9ec64adf26f30033fc739de17bf04f61886c64395716447c9e3e6c97edb606a58116350b19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ed26cd2dcd561670_0
Filesize
9KB

MD5
986fe7760f3640c944020879154f8a5b

SHA1
7417da439cd5cc6bab3e16b299d51237b00218b1

SHA256
7c69db3078687d2d40d10e8aab5cde23f067483e9d09b61cf0aafc3998cb9c0a

SHA512
8f68da3d34e50f4d0708e0a38e22983235a176da01f2665280de32dda52141b4fb90dcdc216f40f1754b23e301c2aff7cc4ee42054b2d5959a4bb74304bf09f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f078f5fb70fd150f_0
Filesize
4KB

MD5
7d1d7553681abc671b0c83ee1317389c

SHA1
aad95882a8d25fb3a218be443b51ba6ccf6575e3

SHA256
7e3f4ace8e679b70836bc5b13a4ecac7101c0fc7b54b970919be0d84ef158e39

SHA512
d2e58a44ea8e243514aec8db0297b89ca3d6cb4735c97ee57030391353674a599720ebfba61b199c0f3790720f1c25769cae4acf0d2dbc0a7ba35b0021817e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f89251fac2b69325_0
Filesize
3KB

MD5
54317d3c4efedee09622452acc1aae0a

SHA1
cc84f6e734af2d550d63ec51448972b8b2391f90

SHA256
844c58964dfc247c55ed565b047ff7a7a0c30fc2e0c8b40de89928727f5ca531

SHA512
b33bb83611b72e7c3957d55819c72c3b770f42ca32dfaa6bfef4744f5938017a07e969405585a71be2d99e163673b25d6a1168f4733ef7c824977281efd829fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
282340a13e2f2d7261b578262e99611f

SHA1
6744f2113e82d230ec1b5e565c27511d18ccd18a

SHA256
3f8138d9a7c888da093d3700d7a59f0860473ecd0ea2d83626a5ea95ee158808

SHA512
ec0f3b7419393133eb713eef5b51d4bdac38b96edda2ceb23e650b9c1efe653b03c3f1eba0ed9d086c7efadd3dc0dd10de98f1b1208d908b4eb16e79945c84f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
70a20791a16f04eefc99d29e5786d973

SHA1
aba667f13761d25b7e02c5e9628e0be9f1ab500a

SHA256
daa1a0fb6d9e181a52c462a5938aee7c7750ae177d2f340097e470fcf51287bc

SHA512
f69ea7e4f6428009ea34dfa4ca271d46b4f38f7c3279919924e743c91d06a93fe65686b3ac2c74c6f776088200826c7f5e5767ff42c0f77fae460a3b81380273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
eb06c4232389c794ef367fc83e059904

SHA1
0bf6bb8f392cf309e028c70cedb7e46e4f10147f

SHA256
d59bf693fb92aab86b716e820fe2afbc407849ace446f4f6d5961d671b2ca034

SHA512
d2f150d0c190610e10965f6d4d2c60efc4f8e4e710e187d3270dd0d46ced4de5dc17d984e84cbd1e903ee2451f7f1d2f1c7f558afa8f24584bd8244e8a715619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
e7a3f8abcc95e20c0bba900ad6c24332

SHA1
e69658d46a465517031106e8a9888563ee7936c3

SHA256
d3e233be5e170188d4a060fca22da9c88aa194d0e8ac22098279550faf4c8094

SHA512
91c748375ea9b92da76e2a0bbeed06b5d95006f81dde2224145ea2c5aef595ddfc516e8fb2d39741cf810501b37a1b37577a6114a73e2d4c2803ffde427079a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
fc0dd4730555a1649001647007ff9a85

SHA1
d70e7b615e2eec1d6de665d15270f68aac6beef1

SHA256
eae99a953c53f675884ee99c2677f67f879677bf6207407dfcd3733a2e91d127

SHA512
cf89dd4b9c811abc935aaadb5320057aafbe2d469b110313ff439964ae73b83a81a75ffcba7e860f5ebd16d6d316963be1b99c017df3563f7be4e589a17a40d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
9496fdf17e8e354d692097da982cbe2f

SHA1
6ca817d8ff74bf4ba8c9164212a221801cfef4e1

SHA256
98045d3cb7265b8677fe9281c458f79202e307be013589502bdec65d1b7c9415

SHA512
b8c9df4919d088fa76a9def1fe8da6c927295844f73b3739f16324f8b4dc6c8294bc3151c1a5bfe8d5c6321478be49e422361e062ee4b7e5e4fe003bc8ac0a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
8KB

MD5
6d3a1af2edec6f0b34d9f1c2251e316e

SHA1
6cc93fc44c7499a367fd3e9a33049d5820972c03

SHA256
3ef77a8b0c04dd5ac8f3d55ee4706087ed774ccaceac6e37d48a8bd3dce1b53a

SHA512
f61c6bc8cecc34e3a1423ad005c96f1fa2849d1f80af8706e048d2981e3c2188e8f18b11f6f66fc40b2c4946016cea42b1feaf58fc9d3991a3c7b7c7f71b59e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
a85282425270a0f4470b39315348cb1b

SHA1
b3b6bc4ad5319cc7c3b412dc5f02ea110df8baa2

SHA256
460080cc6436a242d77bdc9e458fd5fadbc3f7a3c1bc2d81b60badcbf61b4b71

SHA512
b30689b1226747a827d17d497aa9c5370da5df706b1aae7dfc335235a1801130f704b3d41e4a8cb820b739ccd94b5a6c27b3c4b44f10a30d31a166c5b0b667f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b723c28b196e603d9cbd6f6509e88895

SHA1
8f35c70909123ea4c56f80ffa4ce6d401b07a651

SHA256
0505dbf6c0aff609d425613a883459e6abc1e3affc933e447d75f74045f35629

SHA512
523e27a2e650d4281ed034a4c891a590dcded1b8543a0e9b48e04f41a32e3a67fbe9c62ed92af447accfe1fe2fe36702e733e8ec792f217139a1b9d183512add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
13KB

MD5
a8448db15922a9d2bb2608d5ef46933f

SHA1
b4b078914314ebc00d54d61a4df69d5ab6054ccd

SHA256
30324507da06322f7b3a2763c4584726c1bafc94a66e533866177be1703338fc

SHA512
8f147963294f9b44666929decd52c2d3253366bb2163926f714719feb889027021a72b4f8a148e5bb3d320ebeec9ee9db63b6294d8a46a1ac49bf1932e851f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1019B

MD5
b669cfd53e023d0c2303ce0cb60cbe03

SHA1
638736db86c2b296d3a43b8c7d51894aae407977

SHA256
c6f065b4cb2c30d8bcdd2f133d08cf882cb3026b1f16ed34196c819dffbb5d3b

SHA512
030c733d7a8fe0058fc90453ac3beac5755a8f47aba2245b2701b4569ec7bf7f0522b273e2ec88d77243daeb86147083c8fd139ebdefd35541f7eed65d282ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
586b3e044a7e6a44c4bead6358942b86

SHA1
17d7506f303b6c04ee466db2bbdcca3fbda7d640

SHA256
6cd07bfb3f1d32d3fe80875550a10cacf906dde3793efaff53a240eb33e360af

SHA512
011b355bf35aa0673145852baac1a9d05f7e6986ae2e5b66f9c150b92e42397d317a0b5ee279fe5d7b87d03f1ad7d8d59c2eef175177cf02963a34f628a364f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
c8ab50eedab5a0d3dcacd34764d71e2f

SHA1
7d17e1de17c1904598e46443c2f2163a3980c9d4

SHA256
2b1cb21bdc69dc567056475537fac0197a808b0ab3886342e745f3cc3ce97555

SHA512
be117b21a74994fd899cd104bf42d7905022e7f6e3a211d0e6e6177da906f45a0a1e9db6f58efad708dada9d4ac11f788146b4dfa51c7ed41ec6f73ad761bc95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
bfb73691a79f6c055962813bf57daaf9

SHA1
7d0def002863d797e78aea7f554e5bad308a7e48

SHA256
53bdd203c80de0cdbbe9131c41af9044d2a68da772a45e16c2c9e6e195958d2e

SHA512
192b87e456ae640424a4a43dba6b11fef502b3ca3b2da08d2170df9794442538ebff50645433559fbdcfdbf88b7f2dce2c88d2f88fb7145722d7f5104d007bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
ce6923bf6da6b029fa92c6fdddaffe2e

SHA1
84c0d550b1c2becae3b285de9bd08e280a8be1e3

SHA256
5685cf483bd0579f4f2973290da6e9d4d9966e2977cbeb6e74bee86acc1eb8da

SHA512
a91a61676a43a4994071fee3b25666448e784255f071c584104a0cf0016cb93806cae16854d3148ad1739cdf16b134db3889e906a554a7c1ac8cc9e7b9f40b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
c46d0d65cfa790b35364106c0636e330

SHA1
086658361bbb0f1a59bb636ff318fe2595d1279f

SHA256
4e86f86bf85a4007a57d939c186032a7fe1d05acf8d0a6d3a70165491a43b8f2

SHA512
4f27742148704eb31e1aae606978388f2bbc098627d9d502d120ffa4df3e0017ad78e120eb5e93b027328d7d2f9514ed9adec4f0a390cfb67bdcdcbe7ff48b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5c36091c896e2bbcaabf8114df517602

SHA1
6c3dec76a9ad27aa0da3472f5c019782e7333261

SHA256
cbf6e69e86c1bafdf30977e90e12fb5bbffee4919ece013800071ea491660b48

SHA512
6bfaedfb35a3bafe46c913105ba1e2ed96d419ce4c3321e98657eebae38ae213180ab569ecc851d599a8aa9aa0b4831c51de85392e0e4ef7908497b06d151cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
eba8a8ef7e20f9ccbf1a95b22fc2abd8

SHA1
d28ca33d09ac86724e8c0042caec56f5c7470231

SHA256
0a995676f87103374191308182463e3705df68d408b75922947bf637c36b5695

SHA512
bb260f33b8336a4a84f075f1682ddd4d42da27790ea64f813c00c5ec5dc555e86077a1709ae515254267c8b01732a5b776283840193c0a6952b361ac580aee5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f07aaa7340d33187ea80b41ae2abd27e

SHA1
27ac78fdbd241cc76bc784414cba27b6555a0707

SHA256
7a57173354ec8594637f4fb296d5e66c91ac8b1dd615abb461d95c7324d1cbb4

SHA512
cac98e5feb214e62e546e5c65eb5fc3f9929f0113a20b0cf926692a72c3bafb01b12744252986ecb49ddd7a1fa2f4683804d5ad25cc6920aea72cb7c6af77fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
3aed9ae1d63a6bac9ef1e07916e13133

SHA1
d8662c5d1a39d1d7ed05bf12b5ad488c9972bcb7

SHA256
03ceb717af8d88db14cb788a8d9da7f21e022eddb0214303b410dd13744a6120

SHA512
27ae723b82938c685d3b238ca6fdcc84f263aaa3d536eb4a34689758e6692b7c588716f456d548e9fe1a6f16d11ec0e708b500613fc9846190c725e47ff8e65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
d10af1ef233fb8fb72411a132cffb109

SHA1
82ff9fc66919b86e46381eb9330e81d4f794d6a0

SHA256
574335dd91862274e7c1dacbbaa4a190ad8062600ae4c4932762379a54279199

SHA512
37e19f00beb19086e1056dd13f975098902d6d1c1ecde858f68c3470e329ccf06838cae646cd2f404c4218c9ed6867ca77c73c80cd0ba907f5f43b05bf42b62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
d4a3b1ece01d4a69ea9b27682fab9088

SHA1
70f1f2fc6917abb98a16311034dc0481aaeb95d6

SHA256
6bc1414056bd83e87898ca0579c0539489b154604542db0be91c08c4b277f6d6

SHA512
2ce28b709c3018abe37e3bb027aebe6baccc1d1ae6ac5dbe6367c06592434c50b1b840d46ee43b573bdfcae39036ca9d4675ccb6153bc4bfd56f4e9517530bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
f4da41b8bf4a6efbf3f837c0f89b4107

SHA1
6a3f4acd2c25ddbd30075ccfbf8a4629aef00bc4

SHA256
4cc6f8d047227598d31e5ace6958d037dda0e768f91111b52c4f3696dc6ba557

SHA512
413e65f55d1cf131ff9ad3a1c7f1a5eec56a9e10d8b1a00de73bc02ecae7ff4a1f859b4c17df1867b356cb9ce9e8b89dc19f38a6901c26abbb1ebc05926291e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
932002479e32e1b2fe09930fe4449b7b

SHA1
ef6be6fbb871e61ec38fd8c69781d796b954a11e

SHA256
f6e34be13311acca49866f9a0fdcbf0771615b283262408d73dd230f658ebea3

SHA512
2e1ba3d70d8e22c1edfd8d8d1d2d22008c21427c1f9536ffe2398b495f9d6ba3d17c0aa14706502ff8a1dc95d94cde0525110bbd0f60ed3d3d9f13ecee2f7771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
5c99afb44388e38a5096e0ea0914ce8c

SHA1
0dd4613a2654c011bb29506a1a5d5a34eed5aa5b

SHA256
12e97f01ac43e97b213a9153ec66d9f2b0265dd30fae7c48a2fa4918143d49ef

SHA512
78c3dda52b1057b1506ba95ffeb762d5224124119e92de763ffeecae7c95d2d311f7570f69c0d121638d7493faf7ae738ed7df331b384434741205af9dceacfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
9e25c24629e622402d646d7f5501c639

SHA1
07b0eebf35a26ec32cf45724718b4992c97d3401

SHA256
9cdff6f5f0a90e4689987f1692c19e75a7ffbf0d36f464526a8fc0cb2a75f157

SHA512
f6cc66f56d0d7f912ee69f3e33fb6e24c72eec4827eb57936efce182167a4269ab2d9d73aa226723bda8ad08b83f31fe1519c5be5d7618d008c670c5bb48925f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
b2c4d1dca3c3876230d15083473b5ab2

SHA1
84255473b022946564e29a38898b36dc2945f561

SHA256
7f9ab77ce44023a29cd6be054c96ff0ce979429378850cb1fe3a5bd77d16dd12

SHA512
07b3867205b336e37acb94d0de74f3713e6c6f690417c53212f7b73f1c18f65467851f2fe18e013e081cce3fc142f533af9a3a084ce614cdc6f9945693a6da84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
991980fd04aeaf3bf49f5dbe7d5f72c2

SHA1
cb2fd5d4595ea9d500412e8324c63216093849b9

SHA256
7dd549b992b8a2cc13d7cfe8ea1ec1e0b6d45326d72048e98bb7223c079b88a6

SHA512
f7f014b72b5ae6883d57d37b14d0de40034496dcd454f5d1d848c2b2f65f7f688847ca073977d74593189b9fa21cd5579f6bc5cf801690c5d6c6f0dda1308b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
b18317eb4a22b9f792697e9a883d5f14

SHA1
c4e470e930393b5cee276accf3a6a17391a3f9a3

SHA256
da01f12153a8079fd0ae227899b5ef1b662613aa2a4139208186273c919f6235

SHA512
b9006add85bbcf3b09fab2dcbb3cb47d6c2bb1ad8d096fa4a3ec507c276d781a2358d2fbb89d3ff5bdaf2cf7fdd60129024ec57a8431f67378045212b9e3c515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
0d0554a648ab998a7c9969a7dc065a11

SHA1
cc2a38babf24f03e54b5e39d8434eb1396c22495

SHA256
1373d0a58e7215356763a1a9b5c6030f75a1b66d617f1f1153b59d119252ab0c

SHA512
8d0e37bc8c4a27c83a7e5e699f4c99cc7899d40ceb26aa0b4676354f58af95bdd61a5987e35d519bb2e1fdff904677afefb9ca25439c85ec5a0976c4692a9c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
b03ed01b102df60a573366d0778c7682

SHA1
592a1836552eb0bf9f7f9c79699fb4500ace99b3

SHA256
6947c0bb52a537086295830c74b1159d1529402cceacbc7a1d247566677cf9ec

SHA512
31a4314b4aa708936ccfc742710b4e9362a1d5e21cb2e2ae03b542bd6a1268918101f02458988846da747020d51278ee53bc16da2d529b8da5ea57b2b087f244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
5KB

MD5
7e662477f936fb07ae0fa8b96c911615

SHA1
c1bd457e4c7a04b4beed0b49d1ba671827c8aa47

SHA256
4728e8c59710001414363948340f97fe06ed24a7c74c35283771d3de2a7d30c5

SHA512
67b52b5f1ce71324b1e61d2e87877caba7b4c548fd483f66153e20d6031f00a25c2893e4a60690e255157bb732f724462ade20348f7adbe1d2e310a7a8986852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
73ede49dbcf9235ec799fc31a3ae50b1

SHA1
245c82f47fa01c276957135a94f1148055056b3f

SHA256
f0c9aabce0a2621a1d353b709bb6181c3a771514b22b79dcdcbf28edcb59782f

SHA512
3371fb6395095dcd21d1c6df6969bbb9b17927f313022aff1c289e7001178360111682ed55d4cea2c398f999adf380a28655416375f080623ddd75feab9e5e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b805.TMP
Filesize
874B

MD5
a261c7d2ca88638a6ba3d6b958370017

SHA1
74c807ac5697693ea11e88968886ed0266563220

SHA256
2444b3a04784e828219b661650a19b48d45963e60174174e3a615760d882713a

SHA512
a9b450dbec9d2b0cd9865a4a21c813220f0a98e28e01c39d9b1c2b40d55e3e7ea83b0414e59b358f3f9c3cfe520dc417cfb08355966138153ab813d7147df740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
25a9a11e9f5f5daf2d2ab38acfb51e24

SHA1
aa8f606bb91197c9e3acd228301069e310975d01

SHA256
c77993e276f57663be8ffde15be87a38fb2f121249309a82f0c14241e1fecc64

SHA512
1631a2df3fa4ec7fb0d92d6834d9e60229cef8970ce1688bf11084698b3592bfb8e786b1cb0810cea32080432c77ce9674d132070968e55f95c4b5cf37382cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
22d097774d6f80e661e3b5dc9415166c

SHA1
3ec014c9774f5c00e283da50aaa8384c465dcc67

SHA256
c891448ef8619091cb10e90119eb06a20dc92b2500d4f135a6354aa4e7bf03e7

SHA512
423413fdebb55b6b302b69eb5d40b11dae4bfdf7c931a9a94fd25132a5ab5c6c5d05024a9760184b2024e624b2e8baa88aa8956e3c38689dd966eeaccd3d7344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d84aa3895bfe3587a4fb38108249219b

SHA1
4a528534a63485058ce90e7cafa0bc12b12fa817

SHA256
3c660d071c905cd483bf8b1c2077058357cbac8e339fd3f5091f1599910e2c2e

SHA512
720e461d98768ea2ce9a947ba973c1647e157ab33f46b76eb9f277f333b6d6fe0336f351d69ebcd7d7bc0025d8526bd402ee4dbdb430e3189613ef0e6dc8618f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
4c1ef2c66f1a3da301da9104f22554ba

SHA1
03649a27e73bd30c8506684cd15e89a57bb1d2b4

SHA256
6d46ae387d0a981fdfe798760bcc311774293206331a6592df92ee0059e0a20a

SHA512
04c0177ef72832e1bcd59e0f60644f14756a949368040d7399e12ee12f3b266011ea6e02bb267b52cfbcdeccf8a7e7380117dbe769bfbfae3073858053cc5c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
783f0c6c9d442ff2facc13d7763b1d06

SHA1
c09d60746fb44707534f3a2d74231403a93b945e

SHA256
1df609242b7db943b0bb3691a0dabc23366c3a727a80ab7ffc6b8e553c305be5

SHA512
019ceaa022ada9d845854689ed33ff72eb9e71aa2cc5cfcd6ac258bd98980f3b10997e0ce98d01459982be6fa4ff4d419a68a65eba50b3f0680dee0fbad3dc61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2e621e1165cf4e0c0d01f88f806aaafb

SHA1
61439e5076694bca4bc64aa1af9684af5376dcbe

SHA256
edefe4529f0bf8c0cf0b76dcded5d0e16d3097ee97683bda31ab8a423c2a68b5

SHA512
0592c3a5f42b38a1799d2bd27ddfae6144138592fbfb719882555360605182b8891ac0b34617df329d758240db51601b9268da7580ff6ee2736ffde5f29a617e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a7ce5c6b0c0c79886038563e44c6400c

SHA1
b15ee7d0860729699273dfc3d876e42ce43e95fa

SHA256
cf1c9a54254075424e4c129aa49c06da88798543cda28f6b560721ea35e33288

SHA512
dd457d8c8a464add7587490ec348abd88d5a7d04b015e1a1267794aa7e3372ec85c9ba5f4d93f150f684da650f153256a6eb03864697834785010d2f417e00e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f0b211a015b1b34c73d4f9bb63236841

SHA1
6f7199a52a72372d34979ee7a8e50e6912b58865

SHA256
47e3919c7e1a107f768e34ded3a799eabc58f5ca80d9d410ffabb687703e94f8

SHA512
507fb02b010b9347fab413532b2b69f3cf2d870751039dd323a8f749f5dbe44bbf143dfdeeab2ec0e9d72abea78d0d2f13b3eb9480868900e3727ce7e3cecc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
38c1ecf7901bc91888173a923559212f

SHA1
fec6551f6d96490c07467e9cd29f6f29485e63eb

SHA256
ac318a5c8fd34b8617670708c0b1a39f2c08a9fe11c6c1a0bfc8ea95ba00878e

SHA512
b74821fe73f447ee6770a29acb143b41afd1f8fd4ebf84c2d95950174b374dd41fbcd09826f8be67eec3c00208b6e00b4c18bfed8be749560f85a829feff3828

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
6505ba4abe9e0974c558ea6aa3126c81

SHA1
96562de02ac39525de16cbeba385c82a19d65adb

SHA256
0253aa9d2b8240ff8fbef4b6d8cad83e569fb8609cb3d64d031ea6a53095c38d

SHA512
28415134a1085a5211a9f46845864010ba1fdb19d3293c6c955d654c66408190ff97860e47d82fdce1d8631945dbb3ef1dec89a9a8d69669ece7b6bae1deb4ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
19KB

MD5
1ea993edf9541dd2c730a280571ee349

SHA1
673c1dd1f593db57372c5022db46b491c243bb4d

SHA256
215a91befc743008a3c817aa3b80ac95a99ed87724ba39b5663d060349171c7b

SHA512
230aac94d736fd14c41c2d8734f1b198115d7ac7185dbc35136bd9965b139f8ea0148e1750cce6f0e843d885cbb836631729e5828051e72eb1ac5cc796e417cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
19KB

MD5
b9062e690bf4b71cc26f8504caca6166

SHA1
300a63f5466a07bdc3598f175dc4276c0e1478cd

SHA256
8fd78c429bd8884938d31a4eddcda54f0e225850acae278b56afd55d4323ad4d

SHA512
bccf38559b1ad8e075b7b654aef0d9c8dc95a40d28760f7a9beb4677a7f023fafef25b26e9e2323b27a152007bc1260b105f6e9248553c2ba46c6827266eab9f

Download Submit
C:\Users\Admin\Downloads\444ced4b-66b7-4c0a-8728-3ff4e4e698bb.tmp
Filesize
28KB

MD5
a9b28061739a0ff08e82cd86aaff2b03

SHA1
89270c97bad760d5d013a68e116984da2d1df7d2

SHA256
217a59aebca7258aece192402df8bf44fba4b56f47ad57c172268f87875c1afc

SHA512
73aff52665312042db0b0ea808499550af7f6021c69271bc207bf4e42cfc6238480b3f3ab68803e067bcde60919746b097317ec0b483caf626b233d56d1589a0

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar
Filesize
2.9MB

MD5
635903bad1ada856d701f34d3070ccd9

SHA1
3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0

SHA256
3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

SHA512
fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar:Zone.Identifier
Filesize
676B

MD5
221496980e0bcfa35716f1a67741cde2

SHA1
14380df62bb6e93850da3fdb29b321183b1d459e

SHA256
4a8489bd43028cf0031be783eb126d12ea17ae937e9a1d864f1e1d841224ae50

SHA512
0c85bf4ac189aae54a8acc16fd253eb704d8b677c8961c93f0101eafc9d266954ee65f9d055f52e71a8f6bd7b8057d2aaaf6f4b514ffe3e94f623c1a92b99078

Download Submit
C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\Downloads\asd.txt
Filesize
122B

MD5
ef68c22d5bb20867da698ac9724e154c

SHA1
3650374bd53ba9146f5e1607b9508719db827d28

SHA256
d76a62e82ffa655f468505e153857570329296f719435126867651d63a4d5229

SHA512
a25850f69c33402c1620070fca3c7b274d89d6833a0c7bc87132c0d248215cbfdf5044b3d767b309300e496f5e7f0b3a8aabcf20910bd25efd29bf6caa02935f

Download Submit
C:\Users\Admin\Downloads\asd.txt:Zone.Identifier
Filesize
309B

MD5
42292b5828fd605204cbf774c3cdf11d

SHA1
22d34e208a9fd6904d1e894f65e661819854ffa8

SHA256
e720d67487a2218174d46bb404667a82fdfe6b7a69342ccd4c008629f3078f7a

SHA512
00e2f145785978c9c961cccd55dc145e2d98cf3a10e7bb650f554b1769ed50519d9b4f1de2ff444f3e1d962a5b2140f790b7031375645dfa09a01b070fabe7eb

Download Submit
C:\Users\Admin\Downloads\maxresdefault.ico
Filesize
148KB

MD5
8b9610bacb5992c5f4b8457cf1838bea

SHA1
dfc4ff83daeef4dc9068ecd33555b1fde94eaab4

SHA256
99401fab1d13d3c9ff706b7d5c9cf80a2694230b9a2ffb6aa2d49b7603a95245

SHA512
c457fd1ca8749362237a3e781b0ac0f4b9227392d27b13df5d1d2bf83fa9967faecf4ef94c9bcdbc2ba71f4f78110597ffd9422d2a03f418cdd97f07cfb92c65

Download Submit
C:\Users\Admin\Downloads\maxresdefault.jpg:Zone.Identifier
Filesize
123B

MD5
95244fe930e49aaac3128ad3bfce106c

SHA1
04025dd72f1e54fc463fc93a379a094be67556af

SHA256
25de28129d59d262262c73b674459e99b3d2caa90eab1e36754e77c50e2f0774

SHA512
c4dad2cd6b55187596f984847414d5322b097b53ae81a1fbb5ae9ec3150a96d7eb9328c041abe1b8b6df2ecb9338de9b7e5d60b1ade041bba1b038ce6809c227

Download Submit
\??\pipe\LOCAL\crashpad_2604_BJKJZPAZJHLJIWWZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1904-2016-0x0000000000490000-0x00000000004C4000-memory.dmp

Filesize
208KB

Download
memory/2260-633-0x0000000005560000-0x0000000005596000-memory.dmp

Filesize
216KB

Download
memory/2260-622-0x00000000003D0000-0x000000000070A000-memory.dmp

Filesize
3.2MB

Download
memory/2260-623-0x00000000058D0000-0x0000000005E76000-memory.dmp

Filesize
5.6MB

Download
memory/2260-624-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/2260-625-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/2260-626-0x0000000005260000-0x000000000527C000-memory.dmp

Filesize
112KB

Download
memory/2260-627-0x0000000005410000-0x0000000005430000-memory.dmp

Filesize
128KB

Download
memory/2260-628-0x0000000005430000-0x0000000005450000-memory.dmp

Filesize
128KB

Download
memory/2260-630-0x0000000005480000-0x0000000005494000-memory.dmp

Filesize
80KB

Download
memory/2260-629-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/2260-631-0x00000000054E0000-0x000000000554E000-memory.dmp

Filesize
440KB

Download
memory/2260-635-0x00000000055C0000-0x00000000055CE000-memory.dmp

Filesize
56KB

Download
memory/2260-634-0x00000000055A0000-0x00000000055AE000-memory.dmp

Filesize
56KB

Download
memory/2260-632-0x00000000054A0000-0x00000000054BE000-memory.dmp

Filesize
120KB

Download
memory/2260-636-0x0000000005E80000-0x0000000005FCA000-memory.dmp

Filesize
1.3MB

Download
memory/2260-637-0x00000000060E0000-0x00000000061F6000-memory.dmp

Filesize
1.1MB

Download
memory/2260-638-0x0000000005840000-0x0000000005870000-memory.dmp

Filesize
192KB

Download
memory/2260-639-0x0000000006B20000-0x0000000006B28000-memory.dmp

Filesize
32KB

Download