hxxps://download1648[.]mediafire[.]com/x4lw8p3316ugR2u52XkMiF3mLXmyAHMDPwKY8NfbCGOAz4xQFHxw8QE20WvIPIE8EPzy1BEFL3slKqTGxUZRQ8xVQe7tByQq5ipm-bgmBJio8o13pWQK9KzsTTU915X-9y5YgYbQIKFMwX4A0ajUgJB9MGKcppTD4wo1KF1iYr3B-w/vehz5gm393ydtoz/nitrogen[.]zip

Resubmissions

19/07/2024, 20:40

240719-zfx1zasdph 5

19/07/2024, 20:40

240719-zfv7dasdpe 1

19/07/2024, 20:37

240719-zd9lzsycrn 1

19/07/2024, 20:33

240719-zb32esscjc 1

Analysis

max time kernel
297s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download1648.mediafire.com/x4lw8p3316ugR2u52XkMiF3mLXmyAHMDPwKY8NfbCGOAz4xQFHxw8QE20WvIPIE8EPzy1BEFL3slKqTGxUZRQ8xVQe7tByQq5ipm-bgmBJio8o13pWQK9KzsTTU915X-9y5YgYbQIKFMwX4A0ajUgJB9MGKcppTD4wo1KF1iYr3B-w/vehz5gm393ydtoz/nitrogen.zip

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658953440662336"	chrome.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉧少⃻谀耎\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\.py	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\翻	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\翻\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉦尐⇻蠀툠屄ǋ\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉥尓⋻耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉧少⃻谀耎	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉦尐⇻蠀툠屄ǋ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\㉥尓⋻耀\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\py_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
2988	NOTEPAD.EXE
4468	NOTEPAD.EXE
2528	NOTEPAD.EXE
4888	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3000	msedge.exe
3000	msedge.exe
1604	identity_helper.exe
1604	identity_helper.exe
6120	msedge.exe
6120	msedge.exe
1812	chrome.exe
1812	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4512	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe
4512	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2260	3000	msedge.exe	84
PID 3000 wrote to memory of 2260	3000	msedge.exe	84
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 2348	3000	msedge.exe	85
PID 3000 wrote to memory of 3932	3000	msedge.exe	86
PID 3000 wrote to memory of 3932	3000	msedge.exe	86
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87
PID 3000 wrote to memory of 5080	3000	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download1648.mediafire.com/x4lw8p3316ugR2u52XkMiF3mLXmyAHMDPwKY8NfbCGOAz4xQFHxw8QE20WvIPIE8EPzy1BEFL3slKqTGxUZRQ8xVQe7tByQq5ipm-bgmBJio8o13pWQK9KzsTTU915X-9y5YgYbQIKFMwX4A0ajUgJB9MGKcppTD4wo1KF1iYr3B-w/vehz5gm393ydtoz/nitrogen.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb76d546f8,0x7ffb76d54708,0x7ffb76d54718
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,468289633428731579,13991673800904519325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
  2⤵
  PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nitrogen\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb65fccc40,0x7ffb65fccc4c,0x7ffb65fccc58
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2100,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4424,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3240,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3408,i,988524964789372109,15319485876196440617,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5924

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nitrogen\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4512
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\gen.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4468

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap8053:62:7zEvent4149 -t7z -seml. -sae -- "gen.7z"
1⤵
PID:2448

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\gen.py
1⤵
- Opens file in notepad (likely ransom note)
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a8797e00ee6734ebd24b144170c4c1f8

SHA1
c282f6ad06ab75f7efa9e7059eaeaafa8fd893ab

SHA256
082976544dd2420d8547b780bd6b23ddaf3cc224f1d3cf3ab1264e5e8faf0f78

SHA512
c3c303856fcc43d33092434e6bb58bd0dd4fb4fcad45c72036f95e53d318528009284bcf57d09b17d207a6cdbb11bb77de6e618074198e5e227cc22a6459749a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f657ac069aa5593df4639eac28332d94

SHA1
82818217c55f0a70d90e12342b295baa9f72b672

SHA256
ad5c191747342802010c26ead16026bc16d305bf4c9802fc1c261cd7b3110b56

SHA512
e7a0ae0ed8a37a283870eb8cead314da4e5b7b72f299ccce84de7e72b75afeb0bd14d29b31400def2c99709307f80e494be0ba5cb28553b6343198c1651a5813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f78aac7bbd4bdabb65dab3b0fb0ebeff

SHA1
7b977141ebc1b609a57bbe1af25324a0af3cf4ad

SHA256
b2f64f6c8067ec7a166bb2fd3823b1539ac75bbf3019b7f2d1711afc3eecf967

SHA512
8d090acb16da2a2a80d9e4031735be194e00aa2e84048bce6a26f456e1e303f6106b691dd2a62785f30b29a087e72bfbff262080ea0ceaabec5c943922785489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2639b61f27563a663edc4fb2958f2cab

SHA1
a27a575047bda0620db5f2ade47a47c7d1bff948

SHA256
5886e0651277ac0a7e7240cbf711d0c6ae0ad53433351ec969bd96cc44c9f4a2

SHA512
9466970f4c36db489d776f46eea4ece63b21341500e2067acf462144b36954fc8ad0eec38e0e52b437adc03b8fbdd9c1aed7e98e26bfb5caa67a91d1fed7ed47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
526cd459e44325caf37d196b81c7b764

SHA1
f234dc766f57324a562c18eb6af019a26cac3492

SHA256
79249624f9a902a8de743260348f0c0f9a8593187224908ad919dc057188a467

SHA512
429a2c35aa63daa5bfd1297c71ec98c5f49041566795fce1c8ea72bdb59805f48b230f9fbaef4e07b22e680edc21a3b03aed4423a39500f224bd7cb1806fba85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1fa052d4d07c58fcc738dab0a0cbdbe7

SHA1
bedc9356eea30f6f6a049223935ea42bda92909f

SHA256
3e4e1aba00042f299bdc0844d5497869d442f505dc69065cb9d85890a92364fb

SHA512
09d25b26aa0be7f04e3714877e57091a610462c70196c843efb843886861b24877f284282b8f1650d3b95c10a7bb140b159717b7eebe93dbb260c3a5cf694d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f52f4b65bf007d35913834a70fe3d7c

SHA1
e40f7ee496a5bf1fb78ca7cd5c24d9d024a5b7e2

SHA256
ae3551fb3f7716d12fc643ec2326e796cc5e3ed50d1baa2a714d6126f00b90c8

SHA512
574482199c0ae20facea2d679caaa0635341efce7032a1703e2ef7e6c05ba46f4f65ba7daa5c6af1f3c397b523c0e02585a9d772fc5c1b09bf338b87c7a5b230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
218b75ffe0d2414ea39fb5cc9621bd90

SHA1
f446f0a7daceadf4cd85daaecb57760e1aeeba9e

SHA256
4076528bc3f7bae437b2e745c093b969f2f1d0435bd51afcac5493e7c9d4ef7c

SHA512
4a744863a6ef3800751a58f7ed165f2691da07ab3e6ec5f75bf0679c44746cb0c3adcaf1edf221f22b678b4bd2e3d4adfaf8de660c22b967f42cb45fda174259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91ab90d9d6144871c97192e39bb0a09f

SHA1
343bdbb9bca7bb09effa501209c94fb7b60f69ca

SHA256
935c0062d1c05d84fd34927f4401dec51dcc8bddc1a063d5178e737d37a7489e

SHA512
ad81a43655798d7d7e4570595c0ea3bfb9e2ccde06c9687fb6fb30e44b09cd653b695b92939decfa4c7c866b8cfa4b27666df1a2fc91958af3ee9bd7d210754c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ff12566d619f77eacc037f34c4f29bc

SHA1
a13a502cd156530581d497308882967374d0de07

SHA256
3303cb078ae64842933e91a16ce32b663b89437284368bf0ee1574f7820c5264

SHA512
8ef4e7ec14f7d0ec6d7b086a9b65c154c74d5838b0ad665b414ec91988e866be66ddb06b8d9f91018a08c6e9bf0267783fc6a167d9b1bbec0b0cdae086c8c4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d62f28e3ac7d629aad88d604f547d220

SHA1
e0679547191e9f3e6bd5ec6441eb65d2cf2e7a62

SHA256
32b1988d53979e4bf47646c3e5f6ecaf08c38f900ac42d5e185441366f0b9c1a

SHA512
f4aa390e1547a68c979cd77d716421aad6b978a85c683a49c62a326288175e1b85214f14b9a363b0cbf23b86058846054ad3930bdb7fb30646cad1e1cc03660d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87827ba480c7b2f0b30785dbdd71230f

SHA1
481e6936b167d0388214ef828ac19bfe86f3d61b

SHA256
f30c236e814751aa45a93da1fb8e6e9b1dbd6633a30b0e25cf0f388587faa219

SHA512
d9e31e82b0cc65ebc5ef39f3d7323ba2ab705dbd75cb567fddf3cc48a0828615e1970ebd1e245a909a0708bfae23c2f819f97590f6bdf17b56a70778a7956dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8955d7b325b7ab59a81fb63ceb83348f

SHA1
7715b8dbc684faf92a4cdf4efff4999756a781fd

SHA256
3263220d57847087312b9c4d2136cb5fb2f85db755ad45801b793c333d44dd71

SHA512
533694ce51c5ad7fad06e731b295eb444fa44b33a906e3e5827323318d00cc833279c2585a33608526565662801edb03f8cd1386ac4184d66e852138d41a92ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
288a49d9ce91488ec6e39ad209527315

SHA1
5fc38ae89a1998a72afdd3c9ccc5a3e3cf909fd6

SHA256
a1ccdb5f8aad1e7bad1c5b68c1f2614fb230ee6a0baf6e22fb48f7f3fec70aac

SHA512
b67e6052df6e646ad67ed23d65ad5ea840efa3abcb16dc699ab2138283ec26e5c7efaef35933c705c44ffb63fffd783b64ddc4f8a4e0617f6382b3847b6c0b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e13cc825431663a7458c9da7575605e

SHA1
4f6093c3484deb7fec341bdbea3e9fefd4307d46

SHA256
d395ae30997139fda1b41ec6faaeb61f99c43ae348acaa802d45e4976fe94b31

SHA512
8ab531851fb9fb67149deeae77d6191f2a33fa36fcf5c622eaf0e956e0c631d12d360a72da5406113e015f076a8fa0937c7a10983799beab23e054d2e5d94dc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ba08b2c5f5e18b3adf30ebe48418bd67

SHA1
f6208b5edb26daf84520faeabe904bf3b15adacf

SHA256
7fbbf1dfbf3fff2a275b2b63c94b6959ef25e74cf1194a7c64e4c5a2aaf2c5be

SHA512
bd670f3a0551a6e86a0a5cc2ec81b73435f150a313585e14c5145929e23f7f7141f8ee1d58f7a924ef11052273a7123f153f14fdc63a5085edd9fbf2234ad519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
731ed0035dac602603177f9522b56a0c

SHA1
505d0ce01ffe0de4d89a072c3adb80d8b3c757e4

SHA256
44ed1d7394c12a935633a2bdc1c7904042e68f80512a946c2045a893378e1304

SHA512
a613673b9d6c961de5621bad5c59e944bad2c473ecfda4a76852926538c10144d6fc2d6f624cc3555977fbdbbef5a2a5ca7c7012d168008a959841ff572e5b5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
07de1ecc67fb1bdca3aa5b3dc35e4c68

SHA1
c10aa6008231e2a99fce9227fa17b0f2346b65b1

SHA256
ad4976d619f0d921ff0ede1d7887b31da3a97f59798ffc2d00f3e661e2cc570b

SHA512
4ded6c5d0455a98268316495e18d30300200e3ff84da266d5fa616cbbaf47afbe2ba2a92cf32d6cdcf9399c7358d4514179b41cde198b9f36861baa13359ffa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
62bcb6a276e54bb3f301a7eea0806d48

SHA1
f0d975ecf12056810f8c5c6715ba7bfaf3fd2800

SHA256
943229130d7c3908ad51a9eb125071bfc454d581a90def6e71675f812321a657

SHA512
4699c2837332e6d39817135c69aa72483e3ee28cdff25a542c7f5c3ebf1d96b315f4a0820bd76ba44be960e87a897ac129709a1382a9499b8c1dcad6b98434b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
00619c4fe756e88ee4c7aa8d952c0acd

SHA1
89e5fd516844bd1884524e4ea343be20c0a6c4ef

SHA256
0f8323e1a2a4a758351d76fe695580a596ba8c25eb0b6c374107bd769f5709b7

SHA512
d420dbc6313a7f3396b701c53aa7d17bdca3d757625e8542aa1eb2e0754be636ee8ee3d596c54017f5b405fd2f1d4a7a63278cd105702957dcb5ad92b65960c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d80612259ad13694a64c283888f84904

SHA1
6ab2b7d2ed7a6f905444bb3e8571f1294acdbf3f

SHA256
c733c73c79c941b1ccb8fe8640209cd4488134da1376fb32a418eebf6b222451

SHA512
ea278d03eec97496af8a8addfa72a0ad3ff7692f41fc41daf3fa8d0680912f685561c76ef8cb5c2dbf56d72928abb7ee3881914fab1caacf4e96d41aae636d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a7c709d6982b642da31cc3b438e2e555

SHA1
ada4fe5065ef95c906eee3c67f2623df6e699be4

SHA256
af028bbca7b81d69307445f59eb663d8f9a6b9baa98400fc42b9a67645e1bab5

SHA512
02395da97555541a387c94cd6f51255197566d198f47e62fa602182d15ff02f36edd9bbc6831c756a9646b542d9e986ccd88b36bf9aaa766d08beb3ccb2ba589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ce910a3cff041f2511481a853af49f8f

SHA1
351d07b8b1e486b3b4f33b2f929d94d430350ef6

SHA256
a8bdfbd485ca17391b69e637597bfe0dc5f36667bf0ba8050c9308c1551d8774

SHA512
1d055c56ec27f958fdeaf48e702857939164ba20077d434a452fceec8dc90881a84f175c9609a8696efccd42b326eb479c5a1d4332c4829b6dbc75209d7e525b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f55d346d746d8c65241438d3921283db

SHA1
be75d983994d1904659b599a8713ffb31bc4488d

SHA256
5c59ba81663956ee4bff1eb9dcfddfd828f7f873ec8312d8620c63b902e22cfc

SHA512
1f22278545e8527feb9104c4530ae95b3e1811687a2904a478f4bf04cec60cbd4d0e8dc6044e3271417b011bbd5743fb0df747eb888dc272a27db362a7b6bdff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
71ca0f4e0c3b767f938b331912c083d2

SHA1
8abcd8a9971c350108d9a69b9df950275090d430

SHA256
5d2fb09577193f36e3d9453279485c7db619d8d1a4185219f0ae89f4748869a3

SHA512
de5ef9999bfb23a4f3d4998c1cc719f1265e283707e1a9f928bf453c8b896d9932d4ee02b7ee383d9f8b49ce71cf3fa456476f84e6a940a2a493fd6c4f9f5bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8183f3843e134acb8836b88f68f58c56

SHA1
2cd993ad6cc09eeb34447c46194f67091b77ad4b

SHA256
864e1e61d0fbc33e09b53361fc077d39bee4a258b43c68823967ac3928bd9557

SHA512
2707311ccb4543ec04c5961f7b33abc8fabafb0be1273a8d57e2724fbb4898b3feee36654218ccb1d1518aefdd0e6cb96735fb2e712f8ff09341926312956886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f608.TMP

Filesize
706B

MD5
c9bfc219c616058a271f61b6156d93fe

SHA1
040e9034c6d24b3aa6877d96c4c4eda26211f56c

SHA256
80d67fdffe7cf7ca3a5ecd00a8739565b2b999f885749cc006667351d9d4c94d

SHA512
49976fbf842b025c3d98ba3bdbe0f9c092c9b9d611e8674a0f6a64cbaaef2fb793e66f29dbb908af2fc6dfa315c23485de563d4b9191e4770c611088f56ec429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c960e59f-0d13-4f87-b15d-23a820ebf3b1.tmp

Filesize
7KB

MD5
3ea97523e527583b87e38617014f7973

SHA1
be32795395151ee37fb295861f46c43a3ba304f1

SHA256
658c3114c6831ec9dcd10217c0833084be34d51fc1dd48bd0c9f5232d1c193a3

SHA512
0a13d9cd2b2e92ccbd86b5f24babb6291dcc536bceb518badfd70179b0a8bfe5f0bb330d06667358213d9af8af584a97b5a76a7d990622a4f5d4d4b0a032cb8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
028aa6d8c6cc010e39699fdc9df30a6e

SHA1
3b376ee5bb91d830b6caf636c0419c00f6d1891d

SHA256
c221cc2707e839e1d24fe8b4715abbfab5115570b5d1d73934ab70cdc562cfc5

SHA512
f51f93ac1df566834d33dc28b8d672fe158f47a2b0f6ebe316b1bda61dff9466444976183bc809ec652b30bc78b9015a80129808e289108a40949f72c3b90c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
02a0eb2d18a045986fe2db590619772a

SHA1
7c49f8df84e95d013db509d61a00b76341edf8ac

SHA256
531809878a7aad701c5547bdb895524cbbfb426f8a98c3c55b5a5a0d9b45a28c

SHA512
de95120611fd3557815afa853dfc79bef4fedbfaf0ac94c0832c8228bf2fbc5d6139ccc6158630bdbcc16dedb6e65e5ff4435ad7394f72b9e95e502699f46a94

Download Submit