Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

04/03/2025, 00:37

250304-aypd4svks7 10

02/03/2025, 03:25

250302-dym3tstls4 10

Analysis

  • max time kernel
    100s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 00:37

General

  • Target

    https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file

Malware Config

Extracted

Family

mercurialgrabber

C2

https://dcwh.my/post?uniqueid=7b57f570

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 5 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 10 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 23 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbef3046f8,0x7ffbef304708,0x7ffbef304718
      2⤵
        PID:3616
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        2⤵
          PID:2088
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4632
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
          2⤵
            PID:2388
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:2732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:2836
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
                2⤵
                  PID:4716
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
                  2⤵
                    PID:3204
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
                    2⤵
                      PID:1408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
                      2⤵
                        PID:5124
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=180 /prefetch:8
                        2⤵
                          PID:5320
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                          2⤵
                            PID:5328
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5340
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
                            2⤵
                              PID:5312
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
                              2⤵
                                PID:2056
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
                                2⤵
                                  PID:3444
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
                                  2⤵
                                    PID:2580
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
                                    2⤵
                                      PID:4700
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
                                      2⤵
                                        PID:5960
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
                                        2⤵
                                          PID:644
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5632
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
                                          2⤵
                                            PID:100
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
                                            2⤵
                                              PID:5464
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                                              2⤵
                                                PID:3856
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
                                                2⤵
                                                  PID:4364
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1168
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:1244
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:5788
                                                    • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                                      "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                                      1⤵
                                                      • Looks for VirtualBox Guest Additions in registry
                                                      • Looks for VMWare Tools registry key
                                                      • Checks BIOS information in registry
                                                      • Maps connected drives based on registry
                                                      • Checks SCSI registry key(s)
                                                      • Enumerates system info in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3504
                                                    • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                                      "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                                      1⤵
                                                      • Looks for VirtualBox Guest Additions in registry
                                                      • Looks for VMWare Tools registry key
                                                      • Checks BIOS information in registry
                                                      • Maps connected drives based on registry
                                                      • Checks SCSI registry key(s)
                                                      • Enumerates system info in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3952
                                                    • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                                      "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                                      1⤵
                                                      • Looks for VirtualBox Guest Additions in registry
                                                      • Looks for VMWare Tools registry key
                                                      • Checks BIOS information in registry
                                                      • Maps connected drives based on registry
                                                      • Checks SCSI registry key(s)
                                                      • Enumerates system info in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2240
                                                    • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                                      "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                                      1⤵
                                                      • Looks for VirtualBox Guest Additions in registry
                                                      • Looks for VMWare Tools registry key
                                                      • Checks BIOS information in registry
                                                      • Maps connected drives based on registry
                                                      • Checks SCSI registry key(s)
                                                      • Enumerates system info in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5988
                                                    • C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
                                                      "C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
                                                      1⤵
                                                      • Looks for VirtualBox Guest Additions in registry
                                                      • Looks for VMWare Tools registry key
                                                      • Checks BIOS information in registry
                                                      • Maps connected drives based on registry
                                                      • Checks SCSI registry key(s)
                                                      • Enumerates system info in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5416

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      56361f50f0ee63ef0ea7c91d0c8b847a

                                                      SHA1

                                                      35227c31259df7a652efb6486b2251c4ee4b43fc

                                                      SHA256

                                                      7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

                                                      SHA512

                                                      94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                      Filesize

                                                      152B

                                                      MD5

                                                      0621e31d12b6e16ab28de3e74462a4ce

                                                      SHA1

                                                      0af6f056aff6edbbc961676656d8045cbe1be12b

                                                      SHA256

                                                      1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

                                                      SHA512

                                                      bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

                                                      Filesize

                                                      768B

                                                      MD5

                                                      91eba36c4aa356b3aca375b63d86b0b5

                                                      SHA1

                                                      e9f5d1e7624a410af7892979d636e6bef54e3c0c

                                                      SHA256

                                                      d9dc08d3df989d087851d81d4bcec9fa09aee8a47bf9e319b171462fbcb99f99

                                                      SHA512

                                                      a3e217c699a11121eb1a81852b822fdc673b01492e845519a02d321cc194c76c7061de853d793c3ad9ee7f655dcab50565b57758521406a48face3e21fb43dcc

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                      Filesize

                                                      744B

                                                      MD5

                                                      f7d3a9bda96ac8b63e57e9890f4d93eb

                                                      SHA1

                                                      99729aace3f969d271da2ca7958d97f8b830b057

                                                      SHA256

                                                      45e37348c27d6307aecae0b6db7dc0c7b7a6fb378e4c75e434196943c80a5fb8

                                                      SHA512

                                                      d0408bc7be6de2d371d76f37dc6707aec3065ac0a911b2ad2918069983a12dd8c2aac34dfc8469e17ba0125145c9bb05910db2cb21dbb0d72a19a32b01c8f4a1

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      3e69aa6ed900094216550b42257fc5ce

                                                      SHA1

                                                      c6c3f7d8717f8751b49f28401d1e733585b0a00f

                                                      SHA256

                                                      fddf6bd5b386020009fb82ffcc48579fcdf6c62eb8d283f80ee4910d27a06c62

                                                      SHA512

                                                      eefc59f5f523e0203a8f7cdd3ff9329ccefe02b5a27c3439e2348d6bd1eff0255ad60ddfb915b17f240f158ce7ac0ab88c25bd2a25cf3884d25b1a4a0484f3b7

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      2df4a94969f8a38aa060b586412ca0d5

                                                      SHA1

                                                      9a895dd88db946a2a73661fdaba5381503477b11

                                                      SHA256

                                                      7c8401ed97e20fc14de8313e6c5b9186adbb748548506f28b55da9cf14cf8259

                                                      SHA512

                                                      7c3c9e338d47b4526f2af8456a1a67920fa02241947fdd62dcf524db1318bdae19224c5008b635cfe2893f9cbb9e5962c3e454c37a3f3ff033471562e68c94a8

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      8KB

                                                      MD5

                                                      7c06e4856cf006cce32c07b3f6e58f58

                                                      SHA1

                                                      774d28955a13d7dc434eba14caf506d1d0cf8c7a

                                                      SHA256

                                                      338e4ee38c78cde010d826a4bf7739bbb9322139ebaf45012719dfeb4cd575b7

                                                      SHA512

                                                      351f0d5eb17dc9205f9362f6e215ca49af6e187d59bb54aa2d5b5d32fa69989a87a60893fe65aa53a4ba160e46df15a9858c6631c3457f9d057102e1e34b967c

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      a79e6de55c6fd81016285056ff932d66

                                                      SHA1

                                                      96741c2394b99ab19fda496936a284e37a4ae052

                                                      SHA256

                                                      65e620bd2a2ce781a3966fe311428c13cb0b6f2e66658ff944c5e028a90e2e5a

                                                      SHA512

                                                      ff4950c5cc43f6dc78594445b286791591234f5d971be3f9700aa4f636622810c52205899f34d7d4c9a9a84ea5dc9901fa84ac2c460463ce83fd5bd258680282

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      9KB

                                                      MD5

                                                      633503e9d79c6c43353f0625cff95dde

                                                      SHA1

                                                      6394cc3cafed72003d603750ca817e26b54db2e9

                                                      SHA256

                                                      f324838ff5eca5e300e1eb809c9bf29446725866d6e538c0a6ed9353614313cb

                                                      SHA512

                                                      b562b8f71f7877e1d913f6d18ee11084675d625dc5896215047accc7887635e92cb03b3a049dff1fda498db8e2cb577d8346db8435ba848b8e56c24e5f2eb2e9

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                      Filesize

                                                      9KB

                                                      MD5

                                                      f469c54b9bd99c414f4e5569845f77f4

                                                      SHA1

                                                      e688923f0781b21f8713188bd426e599f9eb66f2

                                                      SHA256

                                                      160a57faecc98eb2f2f7e4102f8b801f19290d94e8a1de025de22d82e2a3b962

                                                      SHA512

                                                      63b846a34dcb6eb3d5b7abd18253790a987766e2c2b1334d0d435198983cfed42154f1f16c2558eb7958c800b437fb11e13a28c1c44bfd7fcde11a78d5eed862

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      77c256d7e3cd4da960621196055701ff

                                                      SHA1

                                                      ed05c8698af482a4a86caaa408c69e37f31a36c2

                                                      SHA256

                                                      26a12e594a833ef019b23f79f07b0a97e89c23926bf0e33a97f02fb06d62a536

                                                      SHA512

                                                      dc8f42fab4321654dec5d14812013c9b60f0d1395ee0543f7f1337a66b4488cf6efd7b4fd3e7aedc3b5dc6381047cc242d4bec39253ace5eca684cebc8ee3316

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5895e2.TMP

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      5961b6bfc7925d7f90b3d03013a8bad5

                                                      SHA1

                                                      227200ca1cc86c4838e64c464386bde39df1436b

                                                      SHA256

                                                      590aea27dfc8b7258578fac433da125cffcf9a5ea8c6b7c943852e161e9f99a3

                                                      SHA512

                                                      08851867c6ef27a9e50a0c7bd79cb23cee92b51a80318d252cd76da3105b8db3e4cb955ac58254e4ae48797c82f35a2e9db6dfa50b202ce3e8524c8feaee30af

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                      Filesize

                                                      16B

                                                      MD5

                                                      6752a1d65b201c13b62ea44016eb221f

                                                      SHA1

                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                      SHA256

                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                      SHA512

                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      11KB

                                                      MD5

                                                      b6a4183fc48cf825311fac4c018b4f09

                                                      SHA1

                                                      f76395438a11ed7ec6453cca10b55bb29e5feb8d

                                                      SHA256

                                                      1297f838aa87e6ea1130ff75e029a42c0d08f2a1c7ac938a6abc3c5e185ec89a

                                                      SHA512

                                                      725f902ed0d4da61b1d9a110af39848499c149c06412f9f7632ae6676c11c190e1bea4a304736151f7f32a82e52475b04575977dff06e7b10716e0d540ee3cc7

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                      Filesize

                                                      11KB

                                                      MD5

                                                      d7421318e28992cf62d3317c8fb5c510

                                                      SHA1

                                                      3961b57cb6384633d8f7894a212149ed443524f5

                                                      SHA256

                                                      b304c3cc089f3ffad43fa8ea8f641d8268485e5fd84f4fb90547dc0754ef6d37

                                                      SHA512

                                                      d2d2b1eae84e3787cc03306c9be4966ba2eb06d34ba3cf920542c9e908712df9940f8e90adf71b2418aef19c43dade20f2e41a708abf505b2308e0059438abc3

                                                    • C:\Users\Admin\Downloads\Executor by hubguy.zip

                                                      Filesize

                                                      20KB

                                                      MD5

                                                      7878443b620a278a050dbe62c8261cb9

                                                      SHA1

                                                      2edfaf71bbfc38656b0ceac176891ec4eee8df67

                                                      SHA256

                                                      243825d65df708eb8e6d3f32b6cbaf3d67b36a6f26fdaca9b0df3b6aadabd2d8

                                                      SHA512

                                                      a8eb0f11478b60967a6c85953f8c5967af081c78c10791c12fa92e1d242724f44edd83be0bfdd07238de5fb7511c380df3a102a39590de215bb15994ede62dd6

                                                    • memory/3504-342-0x0000000000040000-0x0000000000050000-memory.dmp

                                                      Filesize

                                                      64KB