discordrat | hxxps://mega[.]nz/file/snMBGRiL#T7imrIQTG1innfTnUe0P8SXHucHR8V-kfA4HRuW9mG8

Analysis

max time kernel
43s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/snMBGRiL#T7imrIQTG1innfTnUe0P8SXHucHR8V-kfA4HRuW9mG8

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE4Nzk4OTUzMTgyODQyMDYyOA.GjJsCQ.4sff5PGVKTHapuDdrjFOHXGemkTsTi27OAZAso
server_id
1187990265613537291

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
2348	nexasploit.exe
5684	nexasploit.exe
5796	nexasploit.exe
5912	nexasploit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
77	discord.com
79	discord.com
53	discord.com
73	discord.com
69	discord.com
71	discord.com
75	discord.com
47	discord.com
48	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 211546.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
2552	msedge.exe
2552	msedge.exe
404	identity_helper.exe
404	identity_helper.exe
628	msedge.exe
628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2960	AUDIODG.EXE
Token: SeDebugPrivilege	2348	nexasploit.exe
Token: SeDebugPrivilege	5684	nexasploit.exe
Token: SeDebugPrivilege	5796	nexasploit.exe
Token: SeDebugPrivilege	5912	nexasploit.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2876	2552	msedge.exe	82
PID 2552 wrote to memory of 2876	2552	msedge.exe	82
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 2484	2552	msedge.exe	83
PID 2552 wrote to memory of 4492	2552	msedge.exe	84
PID 2552 wrote to memory of 4492	2552	msedge.exe	84
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85
PID 2552 wrote to memory of 768	2552	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/snMBGRiL#T7imrIQTG1innfTnUe0P8SXHucHR8V-kfA4HRuW9mG8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d05046f8,0x7ff8d0504708,0x7ff8d0504718
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Users\Admin\Downloads\nexasploit.exe
  "C:\Users\Admin\Downloads\nexasploit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,404811471533501444,8470561205016115497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5652

C:\Users\Admin\Downloads\nexasploit.exe
"C:\Users\Admin\Downloads\nexasploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Users\Admin\Downloads\nexasploit.exe
"C:\Users\Admin\Downloads\nexasploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5796

C:\Users\Admin\Downloads\nexasploit.exe
"C:\Users\Admin\Downloads\nexasploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6e3c888f0d35a4957894240d16b2bc08

SHA1
9847dbd425eccee7ab4f50b68ef3007255739261

SHA256
9f8b4712960f8eaeca1797d7ec606580c3eb0a5acc97a83fe0c7c885e28966ec

SHA512
a9ed4f7ff66f5ef796fe2d1a1f4bf75f9d096d8bfd28830137560e5474df96b3e9b2fb69dddcc7fd8fe390a3bc11148c510d0a35ebefce1456d16be83c510ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
321afd5b05748df34f06d33d8fa612f7

SHA1
b01fe0c7b2ce44babd8ee1a020c3bced6074c2b5

SHA256
7879c27dc06f9e9d206261d8c5cce0f6c4f69f2617bdb4e4cb31f9cfec46731e

SHA512
9f01f89fe4d7e9ca6e5b384e47948ad0d4d014d218ba256225721004fbad957856107464d22985048dd2a8d12f97392270e829d825dd332d63bb0260c54c85a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2577c81213c61f13fc10602ff7ad99aa

SHA1
810676897503cda97c26bb2d09cb51a5a4466395

SHA256
7ddbfce8ca879ae98f0e5d1da37e0b4126fe21716c562e41f34e03a62cfcec57

SHA512
3d6a00ad918815948fc3a736268d33643e3a84e00ef716a34ff38e44de340cfcc7975bc6100e4cf8d801bc848e1247c9c13ac8e4f277bfd12371a0b863d581d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e2bf238ee3bab7b2a525fe30c2e0e2e

SHA1
39505850864483e02f051661de41665924a4ecd9

SHA256
884c8dec9bfec4178c1a3041322007409bed75cf82d955e684921e80a1512e9d

SHA512
3243ed07179f2c82c3ad7d80c465a2356cd29545818a059966bed919522d2b0387d51ee5d4bae2f42cbaa818f5bf8d25889a264ff0b4c6f539b99530894f8fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
426949b0c0e146dc4e33de64376bbc0c

SHA1
e3779d025bc94d855eb0362f1a170e8a8b3f3aa7

SHA256
fb33595f80d4d7a06afdaab260b641ffc0499338c4cd070b9c5b2c8bce6b168a

SHA512
883cc158e79892512ed0eccb36929c1797b9c175eaa650bc0c588ec961b9770a5f296cfd235694197ff97dc62c54f55644ef5151f441ecaa028866e7e1b719ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578dc9.TMP

Filesize
48B

MD5
a74c4571a9e42d0eac09be7d96907515

SHA1
99aec9154a93526f5ff30331f2310617a292ac3f

SHA256
35ef79022cdb17b4ce6070d3934528d0da81770216c0ace01c51fa06b6604903

SHA512
bb920d308e27c38608a6c0dfd03caa3d0cc0efc4244029c77d4715f020e6f482fe8e6bfd027fbceded3855084ec927c9b4be66956659eab6c3b3d620058d46bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c57feeb978481948f396db0e7428eb7

SHA1
eae6b4a79015daf16a6177b0fca3f630b7327461

SHA256
8a9d66bcc79260b14354c84518c6aa85bad04667fdf7701c1415af2d08203576

SHA512
51fa380f5246b64d01657a606f2e45fed24c3a20f11ab8d282292215949e8a01d0d84231edd4ef324bc6206e894702d7492f9cfb6d04609786d25053fc6c0ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31863fdfbb9805827475feb2aa5a977f

SHA1
de75a5179fbeb226fb213f885fb03448e9e55925

SHA256
21d8f0488b005e88ad5bd8d1b96e83fdba67094ad5267b5bf0780facb1d9db63

SHA512
26d57879f9ed2e7a9e36e2389ae6a8569cef1550f4682fa3662c481db0e5d98debff6bd9682e8e9494157f2fac0f358b75d3ecf3a9a4a1a701f9631c7dc54770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4090af9ca0201cd0981c94ca0e1a5d9a

SHA1
29939a356ca9148a85c84475b8f03f2a0fd29b97

SHA256
e17ff3a1248e6eef5af0d06bd26ebd89650caffd3e2b281207077d0ea0ed28a4

SHA512
d82eb08c06ac0df4d2555724cc5c18a853de0bff7cb6ef102b055ba18649f1420da821204878948b6d64482719408ee1ab82a58091bfb0d97f7ae05c7b6b4019

Download Submit
C:\Users\Admin\Downloads\nexasploit.exe

Filesize
78KB

MD5
61042d0e794ba7db1d331778fc4cf416

SHA1
6b732bd0b5668b67212225e55bcdb291203b79dd

SHA256
ce5af658077492e5fb47494ad0c55c91771e9492302defdfdcffe33dfb1f5ae6

SHA512
767fb71ef117906d60b60fbbaff62a96bdac0111364736ffc51b95a6f90d2fe880d1f3e37fa7d788e2316b9aa99dda69167f0ca3100e6a20a83417dbbd0ebd30

Download Submit
memory/2348-167-0x000002C8B03B0000-0x000002C8B03C8000-memory.dmp

Filesize
96KB

Download
memory/2348-168-0x000002C8CAA10000-0x000002C8CABD2000-memory.dmp

Filesize
1.8MB

Download
memory/2348-169-0x000002C8CB210000-0x000002C8CB738000-memory.dmp

Filesize
5.2MB

Download