nitro | hxxps://github[.]com/Zummyy/discord-token-grabber

Analysis

max time kernel
56s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Zummyy/discord-token-grabber

Score

10^/10

nitro persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Unconfirmed 253589.crdownload

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L�v�%��"�0�� @�� `��`��q�O�� @�� 8�� H��.text�� `.rsrc�� @��@.reloc��@��@��B��H��J��B��G��}��0��(�� +L��~��o�� ,0�~��r��p(�� o��~��o�� ~��(��X�i2��(�� +��(��X�i2��~��o�� o��*��0��(�� +P��(�� ,<�~��r��p(�� o��o�� ~��o�� Yo�� ~��(��X�i2��(�� +��(��X�i2��~��o�� o��*��0�K��~��o�� ,5�o�� ~��o�� Y~��o�� o�� ~��(�� ,+�+�*�0�� C�� s�� +�o�� X �-�o�� ~��(�� s�� ( �� o!�� s"�� o#�� o$�� o%�� P��s&�� o'�� [o(�� o)�� o*�� [o(�� o+�� o,�� io-�� o.�� s/�� s�� C��+� o-�� io0�� % �-�o1�� ~�� o�� o��;�~��r5��p(�� o��~��X��o1�� o1�� (2�� *��7.��QH;��0�x��( �� o!�� C��s�� io0�� &s"�� o#�� o$�� P��s&�� o'�� [o(�� o)�� o*�� [o(�� o+�� o%�� o,�� o3�� s/�� s�� C��+�o-�� io0�� %� -��: �~��rI��p o�� (�� o��~��o�� o��o1�� ~��r��p(�� o��"�~��r��po�� (�� o��o1�� o1�� *4��/��"��/��"A"��Fe��"(4�� *��r��ps��r��p��~+��s5�� *�}��} ��} ��~*��s3��}��}��(6�� (��*0��s7�� }��{��#��@�@o8�� {��s9�� o:�� {��o;�� {��r�po<�� ~��o=�� +,�(>�� {��%o?�� r�pr�p(@�� o<�� (A�� -��oB�� *��b�9��J�oC�� oD�� *�0��( �� 9��{��~��o<�� {��r%�po<�� {��(E�� oF�� {��r�po<�� {��r�po<�� {��#'*(G�� oH�� {��rO�po<�� {��oI�� *��0��{��o?�� ~��(�� ,r�{��r��po4��r��pr��p@(J�� &~��{��r��po<�� (K�� (L�� ("��(M�� (L�� r[�pr��p@(J�� &�+�r>�pr��p(J�� &�*0� ��~*��s3�� {��o?�� ~N�� (O�� rV�po�� 9��rr�po�� ,$�r��poP�� XoQ�� (O�� +-�r��poP�� XoQ�� r��pr��p@(J�� &�(��,-�r��po4��o4��r�pr��p@(J�� &+J�r��po4��r?�pr��p(J�� &��+!�r��po4��r[�pr��p(J�� &�+�*V��sR�� (S�� &*��0�+��,{��+ ,�{��oB�� (T�� *�0�� (U�� sV�� sW�� } ��sX�� }��sY�� }��sX�� }��sX�� }��sZ�� }��sZ�� }��sX�� }��s[�� }��sX�� }��sY�� }��sX�� }��s[�� }��sY�� }��sY�� }��sX�� }��sX�� }��sY�� }��sZ�� }��sX�� } ��{��o\�� {��o\�� (\�� {��o]�� {��r��p"��As^�� o_�� {��(`�� oF�� {��sa�� ob�� {��r �poc�� {�� C��%sd�� oe�� {��of�� {��r$ �po<�� {��#'*(G�� oH�� {��og�� {��rt �p"��As^�� o_�� {��(h�� oF�� {�� sa�� ob�� {��oi�� {��r� �poc�� {��oj�� {��ok�� {�� r�� !��sd�� oe�� {��of�� {��ol�� {��r� �pom�� o<�� {��o]�� {��rt �p"��dAs^�� o_�� {��(n�� oF�� {�� )��`sa�� ob�� {��r� �poc�� {��-sd�� oe�� {��of�� {��r� �po<�� {��o]�� {��rt �p"��dAs^�� o_�� {��(n�� oF�� {��`sa�� ob�� {��r� �poc�� {�� sd�� oe�� {��of�� {��r� �po<�� {��#'*(G�� oH�� {��(o�� oF�� {��sa�� ob�� {��r� �poc�� {�� '�� sd�� oe�� {��of�� {��#'*(G�� oH�� {��op�� {��oq�� {��(o�� oF�� {��Wsa�� ob�� {��r �poc�� {�� e��Csd�� oe�� {��of�� {��o]�� {��rt �p"��As^�� o_�� {��(n�� oF�� {��T ��sa�� ob�� {��r �poc�� {�� sd�� oe�� {�� of�� {��r" �po<�� {��(r�� oH�� {��os�� {�� sa�� ob�� {��r\ �poc�� {��Ksd�� oe�� {�� of�� {��rl �po<�� {��ot�� {��su�� ov�� {��o]�� {��rt �p"��As^�� o_�� {��(n�� oF�� {��T ��sa�� ob�� {��r| �poc�� {��z sd�� oe�� {��of�� {��r� �po<�� {��#'*(G�� oH�� {��og�� {��(w�� oF�� {��G !��sa�� ob�� {��r� �poc�� {��oj�� {�� sd�� oe�� {��of�� {��ol�� {��o]�� {��rt �p"�� As^�� o_�� {��(n�� oF�� {�� &�� sa�� ob�� {��r� �poc�� {��Tsd�� oe�� {�� of�� {��r� �po<�� {��(r�� oH�� {��os�� {�� sa�� ob�� {��r� �poc�� {��Ksd�� oe�� {��of�� {��r� �po<�� {��ot�� {��su�� ov�� {��#'*(G�� oH�� {��og�� {��(w�� oF�� {��1 ��sa�� ob�� {��r�poc�� {�� sd�� oe�� {��of�� {��ol�� {��r�po<�� {��#'*(G�� oH�� {��og�� {��(w�� oF�� {�� sa�� ob�� {��rB�poc�� {�� sd�� oe�� {��of�� {��ol�� {��rT�po<�� {��o]�� {��rt �p"��As^�� o_�� {��(n�� oF�� {�� sa�� ob�� {��r��poc�� {�� sd�� oe�� {��of�� {��r��po<�� {��o]�� {��rt �p"�� As^�� o_�� {��(n�� oF�� {�� I��sa�� ob�� {��r��poc�� {�� sd�� oe�� {��of�� {��r�po<�� {��#'*(G�� oH�� {��og�� {��rt �p"ff�@s^�� o_�� {��(h�� oF�� {��# l��sa�� ob�� {��oi�� {��r �poc�� {��oj�� {��ok�� {�� [��;sd�� oe�� {��of�� {��ol�� {��(x�� oH�� {��op�� { ��oq�� {��# ��sa�� ob�� {��r�poc�� {�� [�� sd�� oe�� {��of�� { ��o]�� { ��r��p"��HBs^�� o_�� { ��(y�� oF�� { ��/sa�� ob�� { ��r*�poc�� { �� %��Lsd�� oe�� { ��of�� { ��r:�po<�� "��@"��PAsz�� ({�� (|�� ,/3(G�� oH�� X��sd�� (}�� (~�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (p�� {��oq�� (�� oF�� (�� rL�p(c�� (�� rL�po<�� su�� (�� {��o�� {��o�� {��o�� {��o�� (�� (�� *��0�� { �� ,R�;} ��{ ��,)�;} ��{��,�{��Y}��+�{ ��Y} ��+{ ��Y} ��{ ��-{ ��-{��+ ,��{ ��rX�p|��(�� 0o�� | ��(�� 0o�� | ��(�� 0o�� (�� o<�� *0��(�� (�� ~!��rp�p(�� o�� ~!��r��p(�� o�� ~!��r��p(�� o�� ~!��r��p(�� o�� ~!��r��p(�� o�� ~!��r6 �p(�� o�� ~!��r� �p(�� o�� *0�W��(��s5�� ~!��o=�� 8��(>�� (�� 9��r� �p(�� s�� r�po�� 8��o�� o�� r�p(�� o�� + o�� t*��o�� o�� o�� -�� u+��,oB�� r\�p(�� o�� + o�� t*��o�� o�� o�� -�� u+��,oB�� X�i?2��(A�� :��oB�� +�*�AL��)��)��'��@��"(4�� *.s5�� !��*�(4�� (�� }"��rz�p}#��}$��}%��*��0�a�� {%�� ,e�{"��{#��(�� (�� r��p(�� r��p(�� (�� (�� o�� r��po�� ,oB�� 8��{%��,?�r��p(�� r��p(�� (�� (�� (�� r��p(�� 8��{"��{#��(�� (�� r��p(�� r��p(�� (�� (�� o�� r��po�� ,oB�� r��p(�� r��p(�� (�� (�� (�� r��p(�� *��&�<b��@ ��0�%��{$��r��p(�� ,�r��p(��*��0�J��{$��r��p(�� ,�r��p(��+#{$��r��p(�� ,�r��p(��*��0�%��{$��r��p(�� ,�r��p(��*>�r��p(��*��0�`��s�� r��prL�p(�� ~&��o��o�� o�� o�� ,��,oB�� *��KR��"(4�� *Fr��ps��&��*�0�P��(&�� ,�s��(�� +6�(%��(#��( ��(!��('�� p��(�� s��(�� *0��~,��r��po��(�� r�p�o=�� +(>�� r��p(�� (A�� -��oB�� (O�� (+��(*�� (,��~*��s3�� B��%r��p�%o�� %r.�p�%o�� %r<�p�% �%rL�p�%�%rh�p�(�� o4��rp�p~+��rh�p(�� o4��r��prh�p(�� o4��*��&�&L��0��~-��r��po4��~7��%-&~6��<��s�� %�7��s�� ~8��%-&~6��=��s�� %�8��s�� ~9��%-&~6��>��s�� %�9��s�� o�� o�� o�� o�� o�� o�� ~-��r��p~��o�� q��(�� o4��(0��*��0��~:��%-&~6��?��s�� %�:��s�� ~;��%-&~6��@��s�� %�;��s�� ~<��%-&~6��A��s�� %�<��s�� o�� o�� o�� o�� o�� o�� *�0��(�� o�� r��p(�� (�� (�� (O�� ~�� r��po�� r��pr��pr��p(�� o�� ,oB�� ~,�� o�� o��*��;� [��hi��0�M��r�pr��p�~��(�� ,/�~�� r��po�� r��po�� ,oB�� *��/�@��0�Z��(�� o�� r��p(�� (�� (�� (�� (�� (�� (�� (O�� ~,��o�� o��*��BC��0�#��r�pr��p(�� ,�++�*�0�;��(�� r��p(�� (O�� s�� ~+��o�� ,oB�� *��/��"(4�� *��0�W��(�� '��(�� (��'(�� )��r��p�*��r��p�+��r��ps��,��~*��s3��-��*�0�c��~N�� r��psB��r��poD��% �o�� ,oB�� ~.�� o�� o��+�*��$7��>E��0�3��s5�� r��p(�� r�p(�� o�� o�� +� *�0�d��~N�� s�� r%�po�� o�� o�� o�� o�� ,oB�� ~.��o�� o��+�*��(6��=D��"(4�� *Fr��ps��.��*�0�F��(�� rQ�p(�� 2��(9��~2��o�� ~/��~2��~0��~1��`(/��&*"(4�� *R�/��0��1��*B(4�� }3��*��0�u��s�� %ro�po�� %r�pr��po�� %r��pr��po�� s�� {3��s�� o�� o�� (�� &��,oB�� &��*��=�$a��6�9o��&(4�� *��0�9��~4�� ,"�r�p��(U�� o�� s�� 4��~4��+�*��0��~5�� +�*"��5��*0�!��(6��rQ�p~5��o�� t>��+�*.s;��6��*"(4�� *2~(��(��*2~)��(��*2~'��(��*2~(��(��*2~)��(��*2~'��(��*0��(4�� s�� }=��s�� }?��~N�� }@��s�� o�� o�� o�� o�� o�� {=��E��s�� o�� {=��o�� {=��o�� &{=��o�� }>��{=��o�� *��{=��o�� {=��o�� {>��o�� {>��o�� *��0�A��~N�� }@��{>��o�� {>��rW�po�� {?��o�� &{@�� +�*��0�K��o�� ,o�� ri�p(�� + ,{?��o�� &+{@��o�� (�� (�� }@��*�BSJB��v4.0.30319��l��\��#~��#Strings��&��t��#US�<��#GUID��<��#Blob��W� ��3�� @��E��(��h��o��P��e��3�� l� ��`� � � N�� %��N��N�� N��N �v�� \ �� \ �K v �'v �r v �3v�8� G�� v��Y \ �J��%�>%�s�� H� �%�G� ��G��B��7��v��R`��s� ��b "�G��m �(\ ��\ ��%�@ � �+� ��N��%� q�� N��N��N��N�� %�N��N��%�� v �v�2\ �Xm � v ��v ��v �Xv �v �lv�� T� ��m �m ��m ��m ��m ��v ��v� m ��vC�� v ��v�� m �� v ��v ��v ��v�� 0 ��%� %��%��s �rv�� %��7� �� a��m �K��`�C`�o�� \ ��x��A��e��A�!��A�"��A�&�� A�'�� A�.�*�� A�/�/��. �A�3�3��)�A�4�5�!�\��A�6�:��>��A�=�B�� g��o��y�� $��Y��I��_��~��f��m��u��c��>�� ?�� %��6 ��&��6��<��v��'�� X�� "��C�P ��|��!��m��!��<"��#��%�� %�� %�� &�� &��Q ��&�� '�� P(��3;�|)��)�� )��8��'��9��2��h:��E�<��!<��-<��!�`<��D��=�� >��x>��, ��>��^��>�� 8?��A?��T?��N'��?��@�� A��x ��hB��C��|C��C��-�$D��|D��D��D��r \�xE��^��E��/\�DF��MF�� S1�`F�� "��F��"��F��"��F��"��F��c�#��G��$��G��E 9$��G��?$��G��E$��G�� L%�%H��%�1H��%�:H��E��%�GH��%�TH��0�%�aH��%�nH��b��%�{H��%��H��%�;I�� &�pI��L�&��I��R'�� > ��> ��> ��> ��> ��c ��h��"��"��"��"��"��B�� * ��X�� [��> �� )��1��9��A��I��Q��Y��a��i��q��y��1�� 5��;�[@��L� �5��R�� V�G Z��f��!��! ��1��1��9��9��9��9�V�I��9/

Signatures

Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4836	NitroRansomware.exe
4784	NitroRansomware.exe
4792	NitroRansomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\""	NitroRansomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\""	NitroRansomware.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	NitroRansomware.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
80	discord.com
81	discord.com
83	discord.com
84	discord.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
76	discord.com
79	discord.com
77	discord.com
78	discord.com
82	discord.com
85	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	api.ipify.org
72	api.ipify.org
73	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	NitroRansomware.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 253589.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe\:SmartScreen:$DATA	NitroRansomware.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
556	msedge.exe
556	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
4760	msedge.exe
4760	msedge.exe
4784	NitroRansomware.exe
4784	NitroRansomware.exe
4836	NitroRansomware.exe
4836	NitroRansomware.exe
4784	NitroRansomware.exe
4836	NitroRansomware.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	NitroRansomware.exe
Token: SeDebugPrivilege	4836	NitroRansomware.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: 36	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4664	556	msedge.exe	84
PID 556 wrote to memory of 4664	556	msedge.exe	84
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1544	556	msedge.exe	86
PID 556 wrote to memory of 1628	556	msedge.exe	85
PID 556 wrote to memory of 1628	556	msedge.exe	85
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87
PID 556 wrote to memory of 2248	556	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Zummyy/discord-token-grabber
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb0ae46f8,0x7ffcb0ae4708,0x7ffcb0ae4718
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3521007497104189502,15370080786160090720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Users\Admin\Downloads\NitroRansomware.exe
  "C:\Users\Admin\Downloads\NitroRansomware.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4548
- C:\Users\Admin\Downloads\NitroRansomware.exe
  "C:\Users\Admin\Downloads\NitroRansomware.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- C:\Users\Admin\Downloads\NitroRansomware.exe
  "C:\Users\Admin\Downloads\NitroRansomware.exe"
  2⤵
  - Executes dropped EXE
  PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NitroRansomware.exe.log

Filesize
1KB

MD5
c81c2ec1b8be0ab444eedaf2893390ed

SHA1
444566609a28efbfed1c21a9a787812945ab04d3

SHA256
66e7acc21981c89e9d363178d606d4bed94e9f15e861903c6b94c23b4dc0f876

SHA512
ac593a805d22bcbd59ed922f1efd87343f7c03fb9d7b95a5e4a62f35898cd08747a6bade4dae948ee4118a8205ea33d3754a30408d51f642fa1fe847d91469fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
787516a9356c915f03fe9cace5a260c8

SHA1
0c7f13bc3257496d87eb74a2ec08af1237f35b1c

SHA256
a93bddf6a10f822865bdf251a6925c39efa8264b69c1de4520a3e50c0e27844b

SHA512
837bd583035c30a4ac42dff7fcfc13a9e055614fad548c93b2a3d1541551ef931a84df612f9bd4b34ee36a3767c5721a09866aab42482819cd31f7a0c06b7ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4dd95ccd62b25f4b1d6ecfa54bfee685

SHA1
634b64090ab79e3d1c9f5ce25aa508119c61a6e0

SHA256
a8a4227858620b0b6bc1ddc1f53ef0bfbd3d01f5252468545536a9c254266ce1

SHA512
a5a863d2aca5b3a66e6c05d754bf4532575b3b1d2f9ffa44578a52e1cd0687e772a8fc50934d2ef9b2c1e4aa3a4106ce2530ed1b3bfe1da1399cb346fca14abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efd02e9ca379392ca3e2f734c6d06ab6

SHA1
786454bf9a7979473ce13698a28f2cb2f4af0d3a

SHA256
f7477624c27688a1e7ca56798315f1b5b9c8c9bafa652f96175384fc0f139748

SHA512
e03440aa5a1fe2adbe3cba7ed9e55878c2b8243d71e6e7aa602b2ccadf58823a80d62b18c0440533c01ea3f0ce2332f48650e59dabed6cb225e02cf0c74b57ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83284348f42bd939ad78b1659f5b6dc6

SHA1
3543b00bd8b782b759104526718b684e90f8679c

SHA256
324434a97172aae4e908131f6a25bceadc97b84971bf30a994ebda05df138030

SHA512
7b36ed848c93e2a8e2898e79ea41d8cef428f6ac5aacede6fa5805c827af52539f2b4120de6526a001143145e0e564b45fa1636cb30a4f1061ac7fff1dd8e2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24d552d8c737b502499a855dd0950aac

SHA1
23337629f1755cfa43390cf0da2fa5a383bef77b

SHA256
55666e81ac182271619a1f509a99381128285b1ca0b185d2c58a556acdd49cab

SHA512
c7e919711cc7e1338bc0c2d7d3f839ad9769c3379b41d37513b51dbe81c07d26694a7b4646431dd7d458171ba2d338844724f9bb268bbc1c4e3c6743baabc3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a9ad.TMP

Filesize
874B

MD5
2312dd8518becd91fc977052b26d6b5e

SHA1
aa718e205856eb138f7944d47fb92ea54ca84283

SHA256
2813bcf4d590ee190f2db5b17dc648795b2b5e3993870ddf829166fc8c3a11c6

SHA512
69c0badbb3bf2bad4e4012dd76e6e35dd9682999b068f1370485022acb3bc34a92936f3f151b12d52f5eb02dcd5cb6984de77e54920b62017998c3137fe53a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93c210f9d6e76974367eb83a89377558

SHA1
abab7e94aa19628fabd4fa7fab05a32ab62da0dd

SHA256
217af85e0d925029c4e8d0262b41bdfacf781b0967a386b4877dc787e4329349

SHA512
ab90ec9e3fa5d9c27d46a5b30e4394b7ba1109f524982fdaf99ba61ca414e1764680ad992f5099a4e05e075bd5f0ca2c476c2ecd368e4688e757bfbb8f28dc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3223ea7ca75da24973f00d0fd9669bac

SHA1
c9100a4fc34cd4db726e7645b384714fa88160d1

SHA256
df0a20ecb7ee49133c206dfa79e59b703333475c00b1164c9bf68527e6758afd

SHA512
eda8b09812a5593ec8e861ecf748f6286ce9a01ae177060eda24884f97c20cfe25efde0843e873201d724e8051fef6a2570020cd9db3409cad0b983d0cf393e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12546226a7a3fe5c759432019bb4a33f

SHA1
7814e7dd4cd2763e35af0bf85b1ef11df8b4094b

SHA256
8fb15206dceb3696f88aa8212bfc0aa17e772f59ee73bdda835a45c44bdb237e

SHA512
22e8b8fb9dca2ee416c2c57cc8571c425a3d9b6aca7a380f58f1e187d37cfc6a62d889433680de4dc5f1f784285ba8e3bed08bb3407f6e374727088d103a18ae

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 253589.crdownload

Filesize
61KB

MD5
30fffd9a00691f9864c19e7a35f3f96f

SHA1
dda9824f3661340241cfa98a592ad4b676946e2e

SHA256
268a0705b818f5e0e113f3c66329bff1466219c011127eb57a6b1dfd6109ca3d

SHA512
fc27c6649adc1e788ceed3f53e6dc84aca005b3885692d24cb1fb0f1a2b4f0725f44143addd35f88c1fdeb6729b6222707727e188474e1dc2954d3bf55bfe742

Download Submit
memory/4784-323-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-336-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4784-272-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-275-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4792-348-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-276-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-277-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4792-278-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/4792-279-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4836-268-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/4836-312-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4836-313-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-266-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-324-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4836-329-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-269-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/4836-265-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/4836-274-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download