592abf8a884553d34b1a4b27ce12d51ad8dcaa2c35db7b004e37fcc642185405

Resubmissions

20/11/2024, 14:55

241120-sal8ysyfpj 7

20/11/2024, 14:54

241120-r9z4essqgp 7

Analysis

max time kernel
99s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroGenerator-Checker-main.rar
Size

8.3MB
MD5

cecae080f9a2005a9afa0f96bce6f2e7
SHA1

93f5154b216c4a862e6a4e6ea81f64a7a06dc9ab
SHA256

592abf8a884553d34b1a4b27ce12d51ad8dcaa2c35db7b004e37fcc642185405
SHA512

0e5720b892ff1abfdae0c42fc970e94b5c307ea43931b9a6598cc7b12fe5e1f12a27c2c88c9b95567d77e017feeb30d84abd5c101bf2e14119109e666ed94866
SSDEEP

196608:a9Rza1/MMedj8DhtneFHt9LOHgjN0CWKHzGB/7Vz7VZ5C+v:gi/MM+j8DhqHtNagjkWk7V35C+v

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3968	NitroTool.exe
4040	NitroTool.exe

Loads dropped DLL 16 IoCs

pid	Process
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe
4040	NitroTool.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023ca9-8.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{102F76D4-094C-4247-8C0E-1BB579BEC03C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2404	7zFM.exe
2404	7zFM.exe
428	msedge.exe
428	msedge.exe
756	msedge.exe
756	msedge.exe
764	msedge.exe
764	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
2404	7zFM.exe
2404	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2404	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2404	7zFM.exe
Token: 35	2404	7zFM.exe
Token: SeSecurityPrivilege	2404	7zFM.exe
Token: SeSecurityPrivilege	2404	7zFM.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2404	7zFM.exe
2404	7zFM.exe
2404	7zFM.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4828	2404	7zFM.exe	95
PID 2404 wrote to memory of 4828	2404	7zFM.exe	95
PID 2404 wrote to memory of 3968	2404	7zFM.exe	98
PID 2404 wrote to memory of 3968	2404	7zFM.exe	98
PID 3968 wrote to memory of 4040	3968	NitroTool.exe	102
PID 3968 wrote to memory of 4040	3968	NitroTool.exe	102
PID 4040 wrote to memory of 756	4040	NitroTool.exe	103
PID 4040 wrote to memory of 756	4040	NitroTool.exe	103
PID 4040 wrote to memory of 408	4040	NitroTool.exe	104
PID 4040 wrote to memory of 408	4040	NitroTool.exe	104
PID 756 wrote to memory of 2244	756	msedge.exe	105
PID 756 wrote to memory of 2244	756	msedge.exe	105
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 4476	756	msedge.exe	106
PID 756 wrote to memory of 428	756	msedge.exe	107
PID 756 wrote to memory of 428	756	msedge.exe	107
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108
PID 756 wrote to memory of 4164	756	msedge.exe	108

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NitroGenerator-Checker-main.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4690EDE7\Nitro Codes.txt
  2⤵
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\7zO46988EC7\NitroTool.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO46988EC7\NitroTool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\7zO46988EC7\NitroTool.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO46988EC7\NitroTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/pV4MDjWBeK
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffc15a46f8,0x7fffc15a4708,0x7fffc15a4718
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
        5⤵
        
        PID:4164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
        5⤵
        
        PID:5064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        5⤵
        
        PID:3816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:8
        5⤵
        
        PID:4152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4840 /prefetch:8
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
        5⤵
        
        PID:2316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
        5⤵
        
        PID:5700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
        5⤵
        
        PID:5708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        
        PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16197519657124898473,6342759114530738558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
        5⤵
        
        PID:5912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1740a9dc-4752-4753-a636-6ba3b9c25833.tmp

Filesize
10KB

MD5
4fb3dd9ecfde08e92b12a041c5cf7e53

SHA1
c120bf55aa8a625daec0288aee8c20d38321d316

SHA256
e66d36224dc5d48bfbf769b292c228727c3d2dd5da8117d23232f83fd3536143

SHA512
20488e2bafe8e8b02f8decae62f2bd4b1be25db5b341ba60313bd7559a3011be0568025de39cd14c7830437f1326ab68d6ac679f4c2fe4d2acc4be4e04ffbb9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
28c53417bb8d97d0833314f675247cc4

SHA1
fdc25f5d47b02d97932a3e2ec06ff927b6a4bddb

SHA256
a8cf3ec645c50b813eb771b9a56361fa33e1c6324af757dcf5b79d8dc5aff73c

SHA512
f9534d3725b55d1a028a4db35ca3e1be97eb96d27f6b973aca6eec51a9951e0d843e1844f8a6fcf053478997db7ccccbf45dc23bbc9da230671afbd9223d4713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
0d294de249ac1f1ca5aa8e9920d2cf8a

SHA1
57bbcf20f96ac6ad59f0bf746295f119ae5fc5f1

SHA256
a302407952c1525735822aa83c89386f8a90a26a08ff1faeb758977b08d84759

SHA512
1d10513ab1fa323988a84da2563693fb9ee1b3243447f94fa9ba90648987c905841873066ba0add255f62034ee49b02f9e6ffdce0c4fd98ae7f1f67ec7fc4b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
a2db34a0675fa5282571177af7ca19c9

SHA1
07071696ca785f0dfe4ff1972861df7e2aa4b7d8

SHA256
ca3c25080ec69cb74f98d56421fd12bf27bcc63366583ff9a66b99b77497fa1f

SHA512
707d6e86f1c8826e68b9fd63ce36a0c9ab7d43e3ced2e57ecef773d341367d828eb202f5ad56a379b973ff8e334db2a8f287d5cd99e017c0113dd02b5295daf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5f8fd43eb42fc02d80ffc9df1b36aed

SHA1
3bd57c429e5b12865894a793372bed05dbe79d39

SHA256
b3ea95bdc5728e8065497ae4d55c37bcfa48ae1d41419cc402b1ae7134377425

SHA512
da778d541bd73252a4a916037bd2543b52f217646d84d5b9fd8e11087bd21ef548c0c3abbfbef0c2c14fe9853a66202e4b40528c9ccc7241e2954a865d557c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51fb77c81b68e3441a4ed7a4611cc705

SHA1
66a8b7dbbe82675922f6ed208a0a28eef3e40c12

SHA256
ead6594b9bda625b70c901729635a034c84bad29952a003ee52729f14ae8781d

SHA512
a8dead794f4d192467b48002e2a93a54263509c942f14be8a53265e740ab8add51f9ebd841ee80b30745fbba41a75414129673199d37c15f7c8476df17cb071f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5b35875b2deed45a9ca32a40fa47e69

SHA1
50fe248544d1715fccab8f479455a2caa6945526

SHA256
9b748d33ddce1d4d230856fcae3dc8f54017780d2d54f3a621d7559c03494304

SHA512
15bc4bb21d99523fcd44d195e851fbab7c63aa25cf21e1b5e2fad2fda6e312c0c03e4da8b5157c8770b30db47c412cb1450948d4469ef233ca290ee9d72480ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc8699319d1f01edb52e9f211b764ab1

SHA1
2b8af33e110d87e68ac47089775af81070645839

SHA256
5ded6ab8247cb8b4fdde04683a477f85bbbb94677f42f04c5f5ca1ff94ccc50b

SHA512
4ac352de183b1836ebe50c552d30ac18e8ff204d0e0c4820e1b2170576bb013543ac2bbd5d6aa6d929f67361278d32b09b56e6a9a6c978667f10570603a15a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4690EDE7\Nitro Codes.txt

Filesize
3.7MB

MD5
21c4baafb432cb0fd2f3489f5ad5e707

SHA1
8aef62cfa7b3ab10a3d01bbd0e5f1737f6baccfc

SHA256
52e409c4c07c99e313dc53cdd3f4b92081063898130ea327715d38392ca37d93

SHA512
ffcd3c7dac566d49fa53cc322dec28179640a800b3ed2f8d3fa4e8686cd516403ce5ab273cf2433ceba70838273ea3e4463321cd158c82162ee2c24847fc2fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO46988EC7\NitroTool.exe

Filesize
7.3MB

MD5
3b7a4518fc3e2dce7e9d26b73823683c

SHA1
b1ede38974d1be0e771eeca02b4cb3eea6553ffd

SHA256
bae1f61c77b66a9821282a3739db03ebf4bce619e1ed57e1bfea780776d735a1

SHA512
b01fcb882275ff6cc589d22a6fbdbb3b91c49136c2656eda6761e1e0792d8329431627d90ac94728b29a8a7faf4ade867ed0a343bc8c30a9eb6d9062543f3743

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_bz2.pyd

Filesize
84KB

MD5
499462206034b6ab7d18cc208a5b67e3

SHA1
1cd350a9f5d048d337475e66dcc0b9fab6aebf78

SHA256
6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e

SHA512
17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_ctypes.pyd

Filesize
123KB

MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_decimal.pyd

Filesize
265KB

MD5
56302e90bc4fb799e094987f4556fc0f

SHA1
3ddb8b77676545905aadef5ba73583c4b904824b

SHA256
17f43bf9552fcf8194f4b32909beffa4238b76866f7dd50f4b70de799362f66c

SHA512
af962aeef8052f5a90855ce0fd6c99862a8a72f649331896737d57d67ccd400f92aec12f5ab958fb08ff101b606a82fe0cd307287616297a37e4532fa5fe657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_hashlib.pyd

Filesize
64KB

MD5
60f420a9a606e2c95168d25d2c1ac12e

SHA1
1e77cf7de26ed75208d31751fe61da5eddbbaf12

SHA256
8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c

SHA512
aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_lzma.pyd

Filesize
158KB

MD5
bc118fb4e14de484452bb1be413c082a

SHA1
25d09b7fbc2452457bcf7025c3498947bc96c2d1

SHA256
ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3

SHA512
68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_queue.pyd

Filesize
28KB

MD5
34537f5b9da004c623a61911e19cbee5

SHA1
9d78f6cd2960c594ec98e837d992c08751c61d51

SHA256
a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5

SHA512
70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_socket.pyd

Filesize
78KB

MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\_ssl.pyd

Filesize
150KB

MD5
66172f2e3a46d2a0f04204d8f83c2b1e

SHA1
e74fee81b719effc003564edb6b50973f7df9364

SHA256
2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01

SHA512
123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\base_library.zip

Filesize
768KB

MD5
ffc01b614a61d204095d0ba3f110d0bc

SHA1
0d103e30c32b843b325f4fdd17c575fe8eb6ea0b

SHA256
cbda495cf95ea72c964211ae2d9c72143e9dcb8acdcf2aa3a6959e9df5c60f4b

SHA512
fa02d67284cfa24935e455b71a056ff4a49c6c116dd27c9bce5b11cb6f0d173b0ea6a04e3890c226030a2803a168870aafe5e50e95b026c0bb2e8c91d2e78003

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\python39.dll

Filesize
4.2MB

MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\select.pyd

Filesize
27KB

MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39682\unicodedata.pyd

Filesize
1.1MB

MD5
5753efb74fcb02a31a662d9d47a04754

SHA1
e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4

SHA256
9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72

SHA512
86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514

Download Submit