xenorat | hxxps://www[.]youtube[.]com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega[.]nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM

Resubmissions

02/04/2025, 08:50

250402-krm8kstybx 10

02/04/2025, 08:40

250402-kldf7atxd1 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega.nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM

Score

10^/10

xenorat defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xenorat

quite-cam.gl.at.ply.gg

Mutex

MSNetServiceMutex

Attributes

delay
5000
install_path
nothingset
port
16226
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4268-1037-0x0000000000660000-0x0000000000672000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe
5988	powershell.exe
440	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2812	nitrogen.exe
3340	nitrogen.exe
4268	Windows Dependencies.exe

Loads dropped DLL 17 IoCs

pid	Process
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe
3340	nitrogen.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3104	icacls.exe
4720	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Dependencies\\Windows Dependencies.exe"	nitrogen.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
178	raw.githubusercontent.com
179	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
172	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2064	cmd.exe
5128	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1974450742\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1974450742\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_508366315\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3028_1161244476\_locales\en\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Dependencies.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3244	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880568707850112"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{BE489957-8806-4AA2-89C8-3790DF6F29B7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{847ED597-5A8E-429B-88A9-2BCB20D928EC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
5988	powershell.exe
5988	powershell.exe
5988	powershell.exe
440	powershell.exe
440	powershell.exe
440	powershell.exe
4620	msedge.exe
4620	msedge.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5780	OpenWith.exe
4692	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4924	AUDIODG.EXE
Token: SeRestorePrivilege	4252	7zG.exe
Token: 35	4252	7zG.exe
Token: SeSecurityPrivilege	4252	7zG.exe
Token: SeSecurityPrivilege	4252	7zG.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3244	WMIC.exe
Token: SeSecurityPrivilege	3244	WMIC.exe
Token: SeTakeOwnershipPrivilege	3244	WMIC.exe
Token: SeLoadDriverPrivilege	3244	WMIC.exe
Token: SeSystemProfilePrivilege	3244	WMIC.exe
Token: SeSystemtimePrivilege	3244	WMIC.exe
Token: SeProfSingleProcessPrivilege	3244	WMIC.exe
Token: SeIncBasePriorityPrivilege	3244	WMIC.exe
Token: SeCreatePagefilePrivilege	3244	WMIC.exe
Token: SeBackupPrivilege	3244	WMIC.exe
Token: SeRestorePrivilege	3244	WMIC.exe
Token: SeShutdownPrivilege	3244	WMIC.exe
Token: SeDebugPrivilege	3244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3244	WMIC.exe
Token: SeRemoteShutdownPrivilege	3244	WMIC.exe
Token: SeUndockPrivilege	3244	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
4252	7zG.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
4692	OpenWith.exe
2812	nitrogen.exe
3340	nitrogen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1824	3028	msedge.exe	86
PID 3028 wrote to memory of 1824	3028	msedge.exe	86
PID 3028 wrote to memory of 980	3028	msedge.exe	87
PID 3028 wrote to memory of 980	3028	msedge.exe	87
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 5608	3028	msedge.exe	88
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89
PID 3028 wrote to memory of 4284	3028	msedge.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6132	attrib.exe
4940	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqa0lEYncyOVhWS2IwMlc0NTZBTXFOT3JQV2d6QXxBQ3Jtc0trY2xVUHplN1J1bGR6MGhxRjF2YkZLNTBpVm9ienB0R3BpbDk0ekhGSWFnUHBrNi12ZWtyc3Qyc1NwUEZBTDNuMGhEUVdxM01qZjVyeEk4X2pDc1g3d1JjOXZDc2hTN0JqMGV2REIzUVRlZXZpeG5QSQ&q=https%3A%2F%2Fmega.nz%2Ffile%2FLoQQyJpZ%23M6Ru-TDqtJHNTbBrX29Z4GLdHxWcPGlEQcDv0vLbhVM
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ffc7311f208,0x7ffc7311f214,0x7ffc7311f220
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5648,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5648,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6048,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3796,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=3780,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3772,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6864,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6900,i,1396949352617218178,15863771723683370118,262144 --variations-seed-version --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffc7311f208,0x7ffc7311f214,0x7ffc7311f220
    3⤵
    PID:1868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1688,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:8
    3⤵
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4216,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4316,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4316,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4700,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4708,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3580,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4220,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4616,i,1925351827070674528,4003766496472569700,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22727:78:7zEvent7901
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4252

C:\Users\Admin\Downloads\nitrogen.exe
"C:\Users\Admin\Downloads\nitrogen.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2812
- C:\Users\Admin\Downloads\nitrogen.exe
  "C:\Users\Admin\Downloads\nitrogen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic cpu get caption"
    3⤵
    PID:2976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:1756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe""
    3⤵
    PID:2760
  - - C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe
      "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'""
    3⤵
    PID:3280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe' -ExclusionProcess 'Windows Dependencies.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:2064
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies"
      4⤵
      Views/modifies file attributes
      PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5128
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe"
      4⤵
      Views/modifies file attributes
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies" /deny Admin:F"
    3⤵
    PID:4972
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies" /deny Admin:F
      4⤵
      Modifies file permissions
      PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe" /deny Admin:F"
    3⤵
    PID:5204
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe" /deny Admin:F
      4⤵
      Modifies file permissions
      PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Windows Dependencies\Windows Dependencies.exe
1⤵
PID:2528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1950542693\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1974450742\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4620_1974450742\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4620_508366315\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4620_508366315\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
2cc0fb195da3d01a4eda7ae527158cfe

SHA1
36d1a99e7e99cccbfd7528e5b0a7f6f71d8ea1c7

SHA256
f9f8121131eec8ee878beed5ff74370d0f2cafc973f3f18f93faeaaf9d21f809

SHA512
334d7eb50106cbc8b517236fa27cb9a86c92217921c7525ddb815b0ab305c3fb404bc774fdaf4be4d283c3ec483dbc12e68f18e3a40b109cc1ece1b7ed9ae8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0425ade58a0043eaf5afdb538b47f632

SHA1
f88afbe32212ab12233f5702d902a3aac9ef548a

SHA256
3a0d22b382f40eb69ddc4f16060239da500b702d2b71baf2cbed25b76105cc28

SHA512
b9681ff0805baf27520f22621b470ab81239a822d2d098ce2387462daa8220b66d6ef2c4a71397e63e5d5a2834105935fc5af553636177c4c86986e6bf8f3b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\95a8e69c-5c93-45da-8c80-8cb179c20242.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
a92b9d97783f33e5aa3c4d7f66429690

SHA1
1aac39371cf1206e7ecca459061daa4f7bd9c924

SHA256
c8245c7ce830f2388bb90d1c74a6c806a4fe822cd8ac6f3eec3667780b2e97cb

SHA512
c4f4b00438fbd33c54daf88374b68e588aa58fe0af1f319c719ee99d5d46fd7d3efa8e1d8aaa9f69e8a246d5bf7b3d7cdcc221a6755dc96e63de7ad0d50dfdc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
0f0be26ef775bfc1c0f5081cdc1f6d23

SHA1
4a0ce0a98785c80fc99bafd2cc16a131cb758b3e

SHA256
384f252ba99167e79f4284569aa48d14c3513eafc4d63f308d5105209a56a001

SHA512
497578150a70d69596c0519b61c1777e11bce13d69cf9d9c38e8cfd2405b5b1e7571d89fffb2b6b839802bed9973b2fa550dca22188819ee379be820459eaca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
68760fb70c7edbc525ea06732782c518

SHA1
e03c25f75d55e952670cb8cf44d3f5d455c357db

SHA256
b908852e42f74aec99d3043f0ff9df29711fc912577a3eb597046aea5b010124

SHA512
fe8c60f588f949988077a79ad8efc8cf5922e575d35571a5a1c93e57d33597d66a225e6dfe8531a5f77de9debae18bd18561d0cfb1de0cfa417ebdb900c44082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
8.0MB

MD5
e9e99216fc6309df86d7d1dc090aa32c

SHA1
be37262d4e7a586b38a7468c4fbb056391550b42

SHA256
f25e29fd34abf45221a70df8177792b61ece24a39efc7eafc4c28856b404b217

SHA512
d9252ac8684d0322c9f06355dae8638cf4e3115bf39282b1e71b84e0cb51f410491d720d8a15262728391b860bd8e9f36ba8b694a6641f93422b30cdce58847f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

Filesize
19KB

MD5
5e5ae2374ea57ea153558afd1c2c1372

SHA1
c1bef73c5b67c8866a607e3b8912ffa532d85ccc

SHA256
1ef458d087e95119808d5e5fecbc9604d7805ea4da98170e2c995e967da308f3

SHA512
46059e4a334e0a5295ebcef8401eb94b8fa0971b200f0f9e788ed61edae5018c917efd30b01631cbd6bdadc5240c9fcad2966ea0aa9c94b538bcc369e10bbbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

Filesize
191KB

MD5
eaebb390ddb3b1c0e07904f935d29bd9

SHA1
dca8da5b24b1b18b3c8dbc2523f5d145fd4dae13

SHA256
9478515162e79256323883a5092b39e0045dc8213d7dcf7be5dcc1ec5b70e9e4

SHA512
e2dae28c4661b3bb65b3811803a9396e1c9b16eb187b60f2d4d1a8cc65e2ad6ce0931a48e942b5d920bdc263ea939b9164b649edc3752e83daabef9366a186e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076

Filesize
364KB

MD5
1bbfe828f62ef9bfe3c8dd5279b49471

SHA1
2e9c9c488c85afbfb9d51bf4f7f600c75454769c

SHA256
e98b842917b22e3412227373252bcdc18b281bf6583e7ddd3da75ac31daa7f68

SHA512
3653e238dd881c1449d64f11f357a59f54147a84e1b7c61e756ddf0847c23385b718108d99299c54b6bdd5fdff1e55b38725d72a5f4bd507208e4be037bdf583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077

Filesize
399KB

MD5
60a49d2550bc927366cd7893d2d9c4d2

SHA1
1b2dc9079a8353fdd95154bc01b2b9842cb86a53

SHA256
b39fd96caac37a89d3815985b6eb07f97244e21773e8aa399e7cfb4b714b2b30

SHA512
22de5d7d36ca7b612fc5c1be5958bf1bd660d1d7d3255374764ff2971718f6dc7d1631e64c65700e0acafa39f6ac14efcc0d54c32b3bbd63e1364c8a91433859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
444KB

MD5
4bd5656982ef46de3263d991427f05a5

SHA1
e99d9b8ade67fe8535465bb539a66d9acfe65e45

SHA256
f965e4026bab7f54cedd13f0d798eeac7e323f65ab4e1a09333f9cb015560f68

SHA512
da98fcdf0f15ba5e76d87dc352069121f9dd03fd325d591de10b159e72ffcba8ca0962d44ba6777453daf45454254284f1543a6ab07c6bbe1f8fe507ed03a0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

Filesize
377KB

MD5
9b61b5fd9677652844c45f36e71abb4f

SHA1
25219861a0cc1affeefb59c0040a74e38d4593c1

SHA256
826ffdd92e741b069bab63b4f138ba29a62692770120da66d1ed3ba72957b6c9

SHA512
cce39dba82f0ff066f71cb371e31d2a820f82338f37a8c82f7b3709f42cc8bfe7ef5cff1cdabfd0825a2cc1a5ffa5ce51c01e1891b1be29c18eb2e9a07fb0ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
403KB

MD5
714e7ed8d4cc38013db0d5c9fbff48bf

SHA1
352486e56f14b395edf4c1ee0bf7c50f224a3ff2

SHA256
37d6113cc70d1717825af31a4568f4765f23ac6be8e1f69afa2d7e0e0c8fa1f2

SHA512
0a320952e85822e6ba2d63671661861c4fc4a723b5dcdc65c225369c6ec0d257ae9404648447758ee2eab87c335acce5ca7e89799b017bd0f2564497ae6c291f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007b

Filesize
498KB

MD5
94a27146ad61d47571b898e0c7ee6793

SHA1
6049a720ff5459fd850d61a93297262cf01cb2bb

SHA256
b09669b3c22022066a86a94c93e6a26311d85d350094cda6b2732abfc74a375d

SHA512
f914e87fc4545c3339788e959c688e9b49743f10a08a0ffcb36993111f8b0dff09dc6877e33e821bd05e0bf6b4c473583a00b8f8fe9e72acf7c399dae894420a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007c

Filesize
456KB

MD5
7b2d782ba1fbe2c2e0d5082fcc3d57bb

SHA1
814f05fe003859b961dc13c402bd8fa854f7e41f

SHA256
ee44c33712ce7280a97b5ef46305aff9e351ff5ce57c7e26502fd3e302ae7554

SHA512
c7438ef2b40080c5b0fe28ca76ebefd0291b27241533b04beca38e98c2d88f51b1e43922c3a4cee491db2b89f5e2a4cb007ed7241eea746d57b86f5d7b3b064d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007d

Filesize
502KB

MD5
331bac563ff64febf1e84f01437e7019

SHA1
0fcc408fc4ea6d79f4613bdb66bdec2a517bf2f4

SHA256
3e31a0e2f72da10e914fd68d2dcff71a5856071abaf4b6f78f104075bdf0f127

SHA512
94ba11ca7c857c6b0a034e452f8614213f9f7582e7a6ab0d06d59dcd0068054ad046955375a2b6ed7cb39d26ea0bce91a37c5d5e412f37fc1998ca9de93a450a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007e

Filesize
500KB

MD5
d0f0df51a9328880a20171d669130bab

SHA1
1935f8f05f64455ad9e06b9df596d62dc01c79f3

SHA256
a0082c5e8d8e6201eb87ce0682c67866b56264f0266fdf62559a27336fdde668

SHA512
1da7d06cff119cfc6d9566d747e166ba8d388ae97110763d5d7a02bc7084e85e19f242bcc98561fedd76a32fb4dc83b787830dcc90058c208b6cc89fc0a176dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007f

Filesize
685KB

MD5
114d38110825fef3484ecf4d966498fd

SHA1
1d57351678bef9e8472a3bb1d73813fd583ae18f

SHA256
ec4da54ef2951b117b270de896e3396c73e6023e27c1888190f8531fce71f112

SHA512
ed497c73dfdd398f114c636f97c491903a695c03d9bced749cd9b759a2c1376c4b21576b7c410e097738d253dfd2d2eb020790c499fddec389ecba0bb85ed44d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000080

Filesize
153KB

MD5
b21ae2d5e8560a73f9dd3f99860e8972

SHA1
62647382f48913a4dd72f9e710fafe4de0f80d35

SHA256
5e429dba28746a75411f1a306a96420243ac7aa8750d23c114ac83dc5d1099ea

SHA512
21edb99e59637c795ca32a366a74ad805bc5104408e62472f1d6ace1a210ae49e7bae88a01096f6e93e1a9b1dee75a482459f78fa46a657e974de1fac97c672f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000081

Filesize
495KB

MD5
cfd87a846ee4ece608a2d02038d5a7fd

SHA1
f215e4547c148f6c0bc2925761ce64e509fe8b7b

SHA256
214440fc09b81311a6d9f2e7c30bc89b0dfd8ded9eadda8d29e9d65b8dda2cb9

SHA512
00e848fe3452ea566b890575d9adc00c57f6abdb5f966a43a29f973c7b3ce745bac87ffd6ade0622fb39a67ae3d6e9e8728fc47a37d790f923ca9917b953d67b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000082

Filesize
80KB

MD5
fd31097abf125b373646d5cf220be0b5

SHA1
affc0d5132791a45cfad8cc01f8c71528310cda5

SHA256
959c11fb4e3fac24b3248e78f67b64efe0a74b1472c5071699f1ce5dcf953e4f

SHA512
cb755ca94d23539d6f899929b7d2306a5e79694aaacd220cf9e94769c4b8e2832a441d3ce9ab96beb15294c1a1e23e3f40452d42b58395a64400217a36d228f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000083

Filesize
22KB

MD5
40b5b51a00af1046d4711f3d9d45f815

SHA1
eaf88f767f95377b413328abc14199a000be47a2

SHA256
b15cb3079d7ff134d729fb84746fc8e1a34da3bc1d7c8f7c904b94e58fdaf23f

SHA512
e52c5efadabc8ef22a08b7682ef71b495f5501b4315e2b535e67e7c0f7106548ee34a1a5dda84291c77ef4abf32c840296ed9a64cc7ae548f8467236c6c7e282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000084

Filesize
503KB

MD5
89aa0091de84d819c706f14ed503fe95

SHA1
9c8257458933c82574f6f6d207f14aa71be89edf

SHA256
25a7441bfaebd778731913d6ffaa846b10433ca1648b10aebe9e3c7e0ee40640

SHA512
d010ed568c9fa8fe64d3a9dba244d4c768aa924742c0f2011a33a10acea0d48fbfbe7b6a5fc71115b38950e74782aaedcfdfbafd790c4556d9600f4b646dde40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000085

Filesize
274KB

MD5
cdd41575bb5d534d7170f15ad4a0ff58

SHA1
91d7e79d862b25a75c8c956901668f3376bb522d

SHA256
c0d3f4189df7576175e6d4751237b1753956c894b72e1ff161371f9eecef6d98

SHA512
060f9af264c39e092225589f2e3df390fdd88e918106a121cf43e50c49bd939669987fd4dfb4e06c9cba324d3be27c94e5bce4dddcdb28e5d7daf90ebbc751c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000086

Filesize
491KB

MD5
4c160f68d587d67a625fa2413f4c7f06

SHA1
1b7846a56b75e75b16b09655da6e526d539a08d9

SHA256
205f0fee8431de9d631998cf6fcfd7d8bd8658e9f29afedfb52ba65747cf16f7

SHA512
229eb1add9933ea10a18955a68d767d9fc8649ea646f505d918fb8c5b88076ff380f95ca5a06dc458540a67625d015db936a1ed9756cee854cf9b22a02e4259f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000087

Filesize
511KB

MD5
9b51024792471a053e5cc6cf05a97a08

SHA1
909a184fed43e027a7bd794feaf5997fee5dfd60

SHA256
04e1f3083850f9b23b8d95c5d759b7e13676e424111ceaed5b0fa1919ed1bb62

SHA512
2e90986f2863aa6ff4da80dda46a3f2d2fa06829e38ee7e33e2e87be2cda3444f59a7b80b3533c809c1ff4986c5ab7a09664486173fcf52693a5aa16fb19cf9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000088

Filesize
125KB

MD5
0ca44ade64feced07cb91c8fff23c1e4

SHA1
f5c277b63c93bece53fd4ed2984a7fb9974b9e74

SHA256
eeaf7de7edffc5538629df507b8ef15d369f29ef019e8551c953cc1a70939984

SHA512
fbcbdf6b262166ffcf48f42ae6d407b544e7920d33749b96ac63b045411bb792e285dc449c820da2d13536d6c4218527c73b13f36235c70a38280c8d9ea479ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000089

Filesize
698KB

MD5
b7078f35984e5926c15d2a0844b45ef9

SHA1
e6858c9f09c35b97227efe7973a8761ee14246b0

SHA256
4d3d1c91ca5ad6365630d1043563afaec02930ad53c79200f142fbb3604a6da8

SHA512
684ab21e55c68c377de4cd53c9b4f1859457a91b6202b4edadd0dcca47aae5f5fa17d006425a396a00f6efe68bffd7784227251221b127244d9d2c04edb04773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
474KB

MD5
ca39ec6333e52e1582d08b4e65d769c2

SHA1
f719c98e70a40284b28e1588503bb04d492d6447

SHA256
18a90310f39face59e085ebf31a6199dc5383ef9e4b36fd5e64bd6b5ec06b376

SHA512
109ffd4e6c283e2d852a6de0231ea79c1914bde1567f7a6122667e0cc1203b9e8b4815ea933bd935cb44aaaea16e859715088de506423e59be8ccaf546a727a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008b

Filesize
507KB

MD5
242f60d7f933122abdb7b6f81fbb16ca

SHA1
8fc76cd71988ac767dc76ab1e66cfea877d09231

SHA256
c148f95de443b360d32e3f2fa905a018188f4ecd8ea24376d37e1d99dc9b90b7

SHA512
a38f626d9e24fb8c17144e1ec6dd04749734a5297fef3c55fda5da857f202b3b2312702ed6590ba1388ef7b22bded4fdcb9edce7e5fb310359ef7418ac06d5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008c

Filesize
481KB

MD5
40c2f83f65fd06e07a4a502f71af9c44

SHA1
d56170c7107d3a40c2816892a3058e80d74e3f51

SHA256
96bbd0f32d6177c7e7ec00ba80c1a366e75e6ca66f1c22dc393bd90a9a6d2cb0

SHA512
611fcda4c0c319484196ed2219d939f6eb04e44cd8cabd285d56e7ac4f1033053a3ebf3de62de1fa85bdde1e22b7ae98eaef9e4a91b66e8ee30af1a5781d7d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008d

Filesize
297KB

MD5
c11904453f03f3229a8bd9a151fb4db9

SHA1
fa419ab632d8a533b6332aa85abbf90b90151080

SHA256
75e8b95891e7ae11b4f42753e720a7ba9245f2f86c26fe7d48b5eea2afc9b910

SHA512
688abf15586a6c3ccd6fb7128116b17de16563b1e0a47d7f14df06e63b43b5f7c013730384454ce7c641e31581651ddd7f393df3dfc343fc747bf7876d4a20f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008e

Filesize
61KB

MD5
91bcca5caeb9a77498d7db77c1ded823

SHA1
83a511e1c8eddd07de5f878a46eea284fefe3949

SHA256
bb0ead5666707cbfc7af8c4228a902965c9e3a9f801368b2ed086a890b380dc9

SHA512
a604874e3cbf4b2e28e7776867279dabfa8a6bad51278ea9af010f49b1f939a03ce4d8050186ff5c414214921f5fd7187537a5fac3924efef64ef886459fd135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008f

Filesize
387KB

MD5
89c43e2621f433cf8874a1c349afed7f

SHA1
e164dd05e49f445107435bfc8a72f30cc3285b35

SHA256
3ca69b212aea1a473463d641a5031d2b38321534dd33edc492f8c64ffc58b762

SHA512
279552ae7ec98475fa0c3845d3bab46688ef80452fe5c0ef6a9657314177dc65d2dfdbcbd2ba4ccb6b81b634a9ad74d113b6672461ffd750c6e21b28ded1a0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000090

Filesize
396KB

MD5
82175a812757717bf4ac9abf0d400ca9

SHA1
fba1a663a380af15b8798d3ea009c78e2033448f

SHA256
b65644e857846d05663daed30780c6c8ddfd4a02fde86957de72c0636cd1d742

SHA512
bf4d34453b17f5fe280f742c9fd58b58e748b7de5591f7a1d92b8681d553c4db91a23a9b267f885e8700a7098ea2319a85294e3706bc07c9b1d8b669549f7a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
828804d32638f8253e2ccf89e20b6942

SHA1
8e0feada2a7b0993a7c1dc20bbd1ef1932930585

SHA256
859a558fec44059e44435d2da2767111e1e17de62bd13e7a5126fd645bfba284

SHA512
f135b89bf5ce6aef75fd6296cc79c98734937ede7d543374469f0e4965053c42e495de839d97a062baea6b70c146700366d8f6f9952ce2903bf2d7e343d8e400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
741c3f88ce3c0d513103ca41cbb5acaf

SHA1
eff994bcd8768deced18633834a1f55352872ff5

SHA256
ba50bb7f083c6099439382788507e2778f93b1a9b04644a7090d4d9327b4a491

SHA512
0eb99024c92a3021a1f579165b23d6f66c842188c681401469a925d06570d8c8f204be43f663102b2c842e5f9044938e2ea1a9964337c88b36195c3ca171b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
33445d068bc0ba0afefc7e79ef108652

SHA1
14bd291af9350c1fd759888ad6306464cc89237f

SHA256
c043f08885205e4213cfb3dfecc13be13807df428b9caedc9e5a738a1dd67c49

SHA512
d7fe80048d1090ec5607e394cb00f425d2d16f27dcbf8ffdc07276e76ee0a4c67d8a375d408f3ffccf3fc0bb40e02ab67889d841445f86a5ec94175a49c5962a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
e2526a3d1cfce3666d6f434e143c5541

SHA1
9d7061ed64a9d54a6e943af36d1b5b62944654c6

SHA256
0e5e4f6b1b518ec466583c05947d644798c1ad230c5eb0baacef445329d23d08

SHA512
2474cc4d9cfef14831e0225c9682f57b3b98bbb6ebec5173686e036c6e740781fa6a95fe52c1cbf16348cd9582be72e15468e6abf645c28e4ca197e6298f7c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ac8f8a87798d514682d7502ae613e149

SHA1
a524f9134085c159d3525101b22a6b4b5045c59f

SHA256
4fd28c58e7aa00a2c89c4762810c1c0c75aeeb42cf79cf7c8b08b69e29863b6d

SHA512
d36088f784b168dea2ba68e5b34691517e0ccc7595799a6cd713efb3eceafad40e1a041cc3d89c19353cb4f8b10079441602371e642a33957c1e45a008fca333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9a4796be21b691c544a5266d72914faf

SHA1
845eb093b2cf03631f7865fb8b202d6850b2390f

SHA256
c56aed38121f41262e3e1a6a6291b98911e3d34d48b93bf57b9fed7f87983d9c

SHA512
0cb215b0fb4e15b9a5141c890a721be989303b9cb51ead09a1141eb6ee99d04724e71bc5839b1e88da19ecba5378a58d39beae05ac45427156b4073f977625e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
4f5b76aa7a4a05b5bbb89037f96accaf

SHA1
b3ecc96bb7d0bb10ac091007269b94953f39baa8

SHA256
895bd9022b896586ff8bdb98b457256a2ae85086ee16a5735d83cb3fb9707c37

SHA512
18522b7f62a1db483910c3f5c1914dcf41a4693da3734b2e99661daccd60aa7669f334469c600b2b48fd1a074a9c9854886719ba0bf58b5bdaf3ba538ddca10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
36953eb8fb8c1967b9ea0da69aec6f03

SHA1
e37fc9cc92222a8e5ec8aea611326abcdd042954

SHA256
0d29df305ff5ea626451b9aef4351c4947bf91805e673552dc42cc510910cd50

SHA512
92a4615f5a06a7650272b8bb6c9626d9b46635f681d65f9e09168e506cfe91ce9ecfec1927bcfdabe915a8ac6bf2f5ee345e8508e2d5fc77fcc5ad0010b15ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
6452e5a31101b8a12d7f704f73964317

SHA1
9bc30fe26f727cf5e4dc425d4f59d9ab584f45b7

SHA256
a92f2bc04f62f0f40cc892dadc36fb870ce0804cc118c80143bbd50ee969bd01

SHA512
ce32f01ecf05d64b860706ca1704b1296a2ff577c35a1d553dc95093be6246c0cc6f6758f8e93cc87518c53fcc75f13097df472815310ce938617542db23fdef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
902886015144030eee3f6aaeffb6866a

SHA1
d7a303331bce187c93f9a289984294e6f82ab3ec

SHA256
9bf0bcaeeb8f964e1ddc5daf57df4ee42172321b9ef41e8c4ffe85b9d359811a

SHA512
7ff9addce0048511ff0d33a79e80b5df09add7719bd0b0080fbde479e23a0e81961f155e953d7253aa18a4289894808a4f7be345a36252d75ab27913306ea56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57abe0.TMP

Filesize
72B

MD5
9aa9a741c4d57c28fade91891b027af6

SHA1
119bc3ef8ff7e9b60d7e57e8a16c3f27a48faada

SHA256
4530edf41a7bb49847bd876e54ccba52f5e1c15e92e098491807deffb545fd22

SHA512
aae237158c272e702ce040ad30b6a7b7544619fa6be611bbc1f078b1f325d0afbc304642d2e48a5a8b63a17d6d80b55cb497f9e63b7a4e907bcca99bbd1a76fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
172B

MD5
d2e30ea8f26b117bb58dc7c6c68af4a7

SHA1
ada9b8df1ec3223a033fb230d585f6228e6aba4c

SHA256
127ee6fc84351fa3bb0479c1f12e6fb6761fe834bd0ffecb63366fe475d1312b

SHA512
01327f18b9e248885b9c4aab3f542bee6992d36431c96e05e42c589e2df02c0b5107b2cb6b420ec961f2ddc1995c7e2935f4607dd2b54683713b968ed2e19d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
4f60d1ec8054cba8d8dcb369e12917b7

SHA1
3971dba5cc5056c07b7693e8113822d9d17d6877

SHA256
abe950b7b2d70959f70767e760d0f105bce24fa396d29e65369133fcaf68ed92

SHA512
55d2dedd7d8fb9fd67b36dedef574cc72bc080b7e89e65298befde8cd6d580e8ec85401a7dd6e6398868711821ce9a6042e1431b5b8e7a29758dabc00c5d1c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
905b9d4d4904c4c9d52ce95d5199afab

SHA1
b32681ac068a816cdfda757fa7e8df17a8942471

SHA256
fad9f177f4ac83737bf274fc319fc7421c15151e268943c15f9fba70ab088ae0

SHA512
d689a0fc2678cad373f836b6349e358bc83e67a678cd220589e77f2d95d93e687c722195879d8229dfb8292a97d61e1ee7632b2c82e92389fb0b6776253055bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
b4c664e691955252fce6176b23e31b3a

SHA1
c7d8f23755dd4575203b21d51b06c67a1ac826ba

SHA256
e01ed7de3d29276dabff0f3022b83d1f375bad56e6c7a2823b38c0db8727bc20

SHA512
c7b99c48d4212b3650de6847eea7bd14f73e9ba81c7f58d0092978a1339f6d39277d6b2ea55e918b460f42388d84d51793143b84bebf17afed2a730450e10e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
905746447e43699d40ddbeca60b9b5c9

SHA1
c1aa97975f5ba9d839972aa4d3b86ce250c2a70e

SHA256
59886566fb4e0c763c273b03bda67f1ac5a082a1e845fa4be4233608a507731c

SHA512
8a7c5fcde61d9b86726f3afd36d9d2419bd9b84d296e01261e7e7f3c3a14d1f00ce5bcf47034f4a06a34d7e6e1600e1d75e0ffb0c9f173de58c3bc725f9663d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
e55a435ce430a806133136e47f8b7816

SHA1
06e511543c514b5a16837d537a8a2a51fede1a46

SHA256
872f5b041973688eacca718a097c12a428db36dbb61951cd1559a7bdef90eea3

SHA512
115c1b390fc8e6d7d4a1b27390ba4d238c117ed3100d1e501491fd8bd778dbe241631f6cfdc3d372b8c1c88f71b78a4c042a9e33757d9e37f878a137d8f0feb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
e881dc13c6511c208d44e458c94a8903

SHA1
095dafdc99cfbad8caccb821204eb921605beb30

SHA256
529e60d0314934b5d79256d0a65cf219dca516d102efe16eb9f1d19d7d4d2a2c

SHA512
14b2826a1db0553b99780d1d527760102ac136400cff29376d9a50104022c804c64d71f7666ca8480296d5ee8f86ebfcb22e786d9d1ae4b596011504510062d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
79122541e801ea41ce3e7910434d160c

SHA1
452f11df49faa7900b58937dbca8d917e15f9cd3

SHA256
bf1bca31b6928d88894870e9603399d4bbc4928fa7bfe7df93d7ea3bddf081a3

SHA512
417a0fdccf8a52f9218a0eb4d81cdb363ffadd7dc768895004f6045b66bb1ea1ea5c95471aa9eb70aad2e0533363799ec5b59705523eae886850fabdd1f0d24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
d0f4196dcff3bdbcf9badd9a400c9812

SHA1
5a8fa74394b72e8cfda9744b1da19cb3ff7596af

SHA256
a9f3b8fe29462fdf2ab2bae862fea4b6d86939b719f81a396a0b0add0916f3ad

SHA512
b7237cead554e4da91ba20e2a4088f250dceaab4fac44d133e93fe2853057233b6f113cc9125d3f56263f2ef0a2801c95b09df4ca52636e73a4268319758bcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
8e59c685201f336f66caf1ca7b7d2da3

SHA1
8931fd2584e882adab17bb509ab34d5493257ad2

SHA256
13ba270676cc95643292f98ff33f4380b7361b61d46e48ed556edb5b351c9bdd

SHA512
4551dd2d9d1f1c3ba4a5197718f797735fe92acb73584ca1f6a0440c1e1415f28df195dfb9230842c76e65608f75376f735c1709e06625a14f56378862c3000a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
cf15b2c6bdf7d0373c55d19f32a2c5a7

SHA1
5a721d2374326eaac3133dfe4fa2a7ec5617f9d2

SHA256
60d45202b9ec0b490fc115decc5917477edd2d6ca2044c476df75d6f2c71a0f3

SHA512
8357f91732d27a3548d275894283871f101d3a948078d4a1c2a7d491a8b6cbf55d02e997bd8a798fea5575da57d57321eeb6015594136c4099f6df0e8571078e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
41e44c44ffd4ea3ac5a646af57105b68

SHA1
9be71b7cd471f760ef1a0783ff31cb67b6ac83ea

SHA256
90248ac5975a964f1d3f62fbaa532dad3cbba15ca83309a6b856320115d781c1

SHA512
5c170308a812e4aec6c1740e4008d4ca17391f138c8c2f9d761f57929ef2edfe6a1760dd93e4122d89a904b402b06ef74830dcea0752f67f7a4b973f109d5667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b18dac7f48df23ba062c7d6094ae8634

SHA1
3c1e9b51cf5442c93cf16cc89c637ed143754f03

SHA256
278fadf1d2d3dfe6de3cea2b8d90d92914876bc6ba43d9cc1f0a2016e00e7aaa

SHA512
d96b086ad617c44bc9c7619a9aa294639ef79a7824e28fa4334e6085755034ee0f2bb64f439113dea650c9f79518da6e8bbdd6b66539c0d7b0f31b38ef95cfe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
a5f413601d0a4d2220c5ca11b14e4369

SHA1
c0e732705a9098e1f300dfc0778bdc0935d054dc

SHA256
d449694efd58645bb5f8d30edea96236053313c18a5c0f997ffb6b27787225c5

SHA512
95839504fb28e2268d8f25e6063b3e0c911f2bf80ddf5ad9ab26f5a943f9353973e19b4509712b53dd99424f9b929a38eb2e55619092215507e11b8f2f470314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
c6f08e104cff76b35da33f339327fe64

SHA1
454324915567b9817d19a18142f2214bd74d61aa

SHA256
8a05ae2a4d74e4c9e7e5e50525a9f4b56e5ef1e02b122391c3ca5a1d7a8acb55

SHA512
a3cbdea99c25fa1c86930aeee69d4d5582c685ea639326e03da593033ca3b20202133f8ba7e45435c6d611710b552a5607682d60c21f17728b6afb777d304442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
76498639232448e5d00ff49c4a9f97fc

SHA1
391955b7e46fa39f949013211f358c153303fb53

SHA256
9ffb91f87eb011fb956aef38e7d7b069677206378c34a074de3cf987fedd703c

SHA512
7b945933850be695408205e6d0cbe3c80825d91f0a21d0a5c49783fe42ec93d41056bab95421a3dd19e8630febc2649efc6f855918b149263ef39f923e5e9804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
332e2793392409c8923ea579d0b8a8cc

SHA1
ba59a0d04dbf9e1e94c4f606004ca578efbfcdab

SHA256
06255ff6d8e994584a6247d32327ed1780f8475ef9782ab39760ea4fdb892136

SHA512
03845cecee4c3a5596d000f3541e2b030bbed5200ef4b5fc661e65f7ade8a59ae4df346a3803b6b1e2fa1bb449d14a4dfac088c650b0ea0c607e4d16a2b3d0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gkimq4t.tdz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\nitrogen.rar

Filesize
8.0MB

MD5
db499cb5c108a3329f10bf82365a9852

SHA1
d75ead959224fe33b2cf5373acd44c62573b2765

SHA256
47d0da40aef454e79def303c63906e26d109e8afcf882734b2247b5c712451d5

SHA512
f64396554ea33c30aae0c47fa09677f69fc97c1ec9ef41f3a6f5eea6c306072b31c185344c10932aac15a1370342c286f1d20e1aa8ef8b63f4c1ea25df91efe8

Download Submit
memory/2648-1095-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1093-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1092-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1094-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1096-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1097-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1098-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1086-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1087-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/2648-1088-0x000001D364130000-0x000001D364131000-memory.dmp

Filesize
4KB

Download
memory/4268-1037-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/4760-1008-0x0000016AF4280000-0x0000016AF42A2000-memory.dmp

Filesize
136KB

Download