Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

04/03/2025, 00:37

250304-aypd4svks7 10

02/03/2025, 03:25

250302-dym3tstls4 10

Analysis

  • max time kernel
    84s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 03:25

General

  • Target

    https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file

Malware Config

Extracted

Family

mercurialgrabber

C2

https://dcwh.my/post?uniqueid=7b57f570

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 6 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 12 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 27 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39d546f8,0x7fff39d54708,0x7fff39d54718
      2⤵
        PID:1932
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        2⤵
          PID:1836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3652
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
          2⤵
            PID:3688
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
            2⤵
              PID:1892
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
              2⤵
                PID:2584
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                2⤵
                  PID:4480
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2684
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                  2⤵
                    PID:1952
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
                    2⤵
                      PID:5024
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                      2⤵
                        PID:2924
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
                        2⤵
                          PID:4000
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:8
                          2⤵
                            PID:1404
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
                            2⤵
                              PID:2272
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:216
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
                              2⤵
                                PID:3948
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                                2⤵
                                  PID:4252
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
                                  2⤵
                                    PID:2076
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
                                    2⤵
                                      PID:1092
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2684
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3640
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:4760
                                        • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                          "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                          1⤵
                                          • Looks for VirtualBox Guest Additions in registry
                                          • Looks for VMWare Tools registry key
                                          • Checks BIOS information in registry
                                          • Maps connected drives based on registry
                                          • Checks SCSI registry key(s)
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4988
                                        • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                          "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                          1⤵
                                          • Looks for VirtualBox Guest Additions in registry
                                          • Looks for VMWare Tools registry key
                                          • Checks BIOS information in registry
                                          • Maps connected drives based on registry
                                          • Checks SCSI registry key(s)
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5276
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\INSTRUCTIONS.txt
                                          1⤵
                                            PID:5396
                                          • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                            "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                            1⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Maps connected drives based on registry
                                            • Checks SCSI registry key(s)
                                            • Enumerates system info in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5712
                                          • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                            "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                            1⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Maps connected drives based on registry
                                            • Checks SCSI registry key(s)
                                            • Enumerates system info in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5868
                                          • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                            "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                            1⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Maps connected drives based on registry
                                            • Checks SCSI registry key(s)
                                            • Enumerates system info in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3032
                                          • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                            "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                            1⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Maps connected drives based on registry
                                            • Checks SCSI registry key(s)
                                            • Enumerates system info in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1648

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            8b5cfebecbfd715cf1c2e86aaba6753c

                                            SHA1

                                            c2d783bdd82fcfb68e8d566bcd34ead327ed7c13

                                            SHA256

                                            6fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf

                                            SHA512

                                            b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            a690d53f0215760186aa07b114ac4561

                                            SHA1

                                            601015b3d5837e99e481db0dcdb0ea33fa80cefc

                                            SHA256

                                            8ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93

                                            SHA512

                                            935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                            Filesize

                                            840B

                                            MD5

                                            bba345e1764a55eef47a730ba6a331bf

                                            SHA1

                                            3bdf4cb644a3e343b6aa1ac11d2008412c0753d7

                                            SHA256

                                            616b77578dd88cac31ce278c1c19fbcc4308b63903c480db9765f783c8b4e3fb

                                            SHA512

                                            2fe0e199e9a5a15f405c61ba5491311d72fc89db7df2e0b8a879b4d92e84ba4c121885a73a152302a96169f5fd03ad85ff510f6d99eaf07c7f1690b6803f9b93

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                            Filesize

                                            3KB

                                            MD5

                                            17913423d4c7b14d6b944d1a9c138e63

                                            SHA1

                                            896b1008b4431f99ec190ccfa6338363ef1bf964

                                            SHA256

                                            40427ab52e8367381f9cfa73eea96eebb33bc56968eba017dd9b7c91ac215f6f

                                            SHA512

                                            5d5c2d4a3ed595e245ad6d831ec783c904b6f62503a7e568a19f2a0a39c751ff607853ec8030791b6487c6ee9fb1648b58314d73a2b3e33b32ac2e4aa5dfa3ff

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            c94249f2e7055b474dc010c5f5d97202

                                            SHA1

                                            1281d2e5658fc8feb0f713c28addc4897e78434b

                                            SHA256

                                            1e7bd0fc441056cca993b8ce123437b91dfbaab55e23c28a19933c6eb861bb4e

                                            SHA512

                                            0af79e407db4457b60b5390aaccfbde203f7a5feb42e948dcef60b4afc8635d9651d183e671a27d37dcfca541a8e255933b0ea531ffb48a1fb696a23a8b3c667

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            7KB

                                            MD5

                                            0af243ec2fcaedbcea5add9ce21c2ce0

                                            SHA1

                                            f75b46eb31e03d14a795f1dfc9527ce532c2194d

                                            SHA256

                                            3f589a2a14af4966b7bb9c6744c7ed4b45b7cf6bd2a0305822280de58a526753

                                            SHA512

                                            10d1c33b453001b0fff7bef9b1fda27f08a54692e8a831b42f512b30fd502335820a29f6b885cb8d2166548fea0cf84508e051d4d66619a88fc21f4dd029af24

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                            Filesize

                                            24KB

                                            MD5

                                            9ac7d64ba533facf33c12b2972d57175

                                            SHA1

                                            0ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3

                                            SHA256

                                            3a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2

                                            SHA512

                                            96c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            10KB

                                            MD5

                                            2057652d9c97da3cddaaf146b43dd99b

                                            SHA1

                                            2afd4aa5e13c1951bd8f6b84b3778742160b2567

                                            SHA256

                                            2c5b3e52e0ef7020d57265f4fad75023d8a070f77515dfba30e12beee2e6456d

                                            SHA512

                                            77f4d2480e708991ab2e410272b3f612055bc9559e7c881b21b88f2a77b9943e81cf8af5c34f0b54c733680204cf577b4cf8273f66b044a9d12bbe0e316f9549

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            10KB

                                            MD5

                                            7228807ee8f2e8efdcddc2954724f148

                                            SHA1

                                            b4cad0ba2f58d531c93db42f8e1207c10eb5f130

                                            SHA256

                                            d873c83653a7ff679f45b29b92a96d83407938218c79dd195ac15a17e1a17f08

                                            SHA512

                                            2c420178882da54e1a406f9e4321051c2c58577a5e85e1aa34e294e45a3362744d6bcd54168fa46e2d537599cb90de4cc0c7525275ad0bdf81832950f9e8c653

                                          • C:\Users\Admin\Downloads\Executor by hubguy.zip

                                            Filesize

                                            20KB

                                            MD5

                                            7878443b620a278a050dbe62c8261cb9

                                            SHA1

                                            2edfaf71bbfc38656b0ceac176891ec4eee8df67

                                            SHA256

                                            243825d65df708eb8e6d3f32b6cbaf3d67b36a6f26fdaca9b0df3b6aadabd2d8

                                            SHA512

                                            a8eb0f11478b60967a6c85953f8c5967af081c78c10791c12fa92e1d242724f44edd83be0bfdd07238de5fb7511c380df3a102a39590de215bb15994ede62dd6

                                          • memory/4988-208-0x0000000000B50000-0x0000000000B60000-memory.dmp

                                            Filesize

                                            64KB