orcus | hxxps://github[.]com/d1ppl3/DISCORD-TOKEN-LOGGER

Analysis

max time kernel
32s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/d1ppl3/DISCORD-TOKEN-LOGGER

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

10.0.0.145:1144

Mutex

d9267b4b64f64c65a02dc516c1adb08b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001b0000000239c7-207.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x001b0000000239c7-207.dat	orcus
behavioral1/memory/5628-232-0x0000000000CA0000-0x0000000000D88000-memory.dmp	orcus

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	DISCORD-TOKEN-LOGGER.exe

Executes dropped EXE 4 IoCs

pid	Process
5628	DISCORD-TOKEN-LOGGER.exe
5804	Orcus.exe
5996	DISCORD-TOKEN-LOGGER.exe
6092	DISCORD-TOKEN-LOGGER.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com
58	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	DISCORD-TOKEN-LOGGER.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe\:SmartScreen:$DATA	DISCORD-TOKEN-LOGGER.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	DISCORD-TOKEN-LOGGER.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe	DISCORD-TOKEN-LOGGER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 221321.crdownload:SmartScreen	msedge.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe\:SmartScreen:$DATA	DISCORD-TOKEN-LOGGER.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
1636	msedge.exe
1636	msedge.exe
844	identity_helper.exe
844	identity_helper.exe
5520	msedge.exe
5520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
5804	Orcus.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
5804	Orcus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1472	1636	msedge.exe	85
PID 1636 wrote to memory of 1472	1636	msedge.exe	85
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 2188	1636	msedge.exe	86
PID 1636 wrote to memory of 4864	1636	msedge.exe	87
PID 1636 wrote to memory of 4864	1636	msedge.exe	87
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88
PID 1636 wrote to memory of 4004	1636	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/d1ppl3/DISCORD-TOKEN-LOGGER
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca55546f8,0x7ffca5554708,0x7ffca5554718
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,15986496091619038108,14927177653236303143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520
- C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe
  "C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - NTFS ADS
  PID:5628
- - C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5804
- C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe
  "C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe"
  2⤵
  - Executes dropped EXE
  PID:5996
- C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe
  "C:\Users\Admin\Downloads\DISCORD-TOKEN-LOGGER.exe"
  2⤵
  - Executes dropped EXE
  PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DISCORD-TOKEN-LOGGER.exe.log

Filesize
1KB

MD5
0672db2ef13237d5cb85075ff4915942

SHA1
ad8b4d3eb5e40791c47d48b22e273486f25f663f

SHA256
0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

SHA512
84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8a637d493af55accb77abdc5b23a2a05

SHA1
9df8fd8b2a64c2169da569e8f6308214e73f0abb

SHA256
5391d1e3461f674ec02bd59ad604478d51742f3b2a53dbca4c61f6d0c4c65aa6

SHA512
635147c8daef03aa8cabc06e22e40a5fae3d47d8a362120470a5861a9d2f4223f4b5cb9b77a653bcea2d065dca208610614ba9849c9107fc3d7e4e103c4974f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09a9b95903ef711536b1aa4468f99b36

SHA1
c94f191dd1c91f92d2d328b614a933b3171d4424

SHA256
5ddcfe5197f3ea17166eff54f616edf6c09d4b7951da9c7aed1ec5c0a270d515

SHA512
ae3bd09c57df373294c8c9f994b03b390f279b93a785bb8f091add1ad84d29c23d12cb3759c35c96fc0ba2679a1671ca8eba9798f1ecbf21445f64fa7764f368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aed1fcf2e0183c1d33636a8313915cf0

SHA1
2dfbefcf6f000494bb4a43d00599e59554c4098d

SHA256
9af02bbbbd20c9c68a1d9f32c72b5a4be53831d9dfd323f60ee38e198b6bb38c

SHA512
895a67dbb627d71e76dd3afeead45fd9f7677d6815b26ec144f2527a5dbf4e26dbbf3e96f411e76813248cb8946b27681f2927e91bf72297dafb6f04b32a68df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d735e509d5145d117a05d15c948c237a

SHA1
df0c7db748636d84e1f1f6379f583b1ac466acdb

SHA256
7f593257923fb8a3024ddbc348a5e7b2b6c83f3290353ed70f7326060ae98617

SHA512
859c440f15a93274dc278ded0b3975e361d2ac47e224d0734f70849c4df40617d1176c5ccf3b95ec8e3cbcd451ba0a68c3697b9b389d1174ce59f590a569d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44b4ea743779958d8bcda96cd2d0404b

SHA1
923f6a62649b1807b4cf5a7cf67e9e680107c50c

SHA256
4498e0287d9f8421a08151b5e181e8b215bc36276800d93f0ff565a1bc6c8b66

SHA512
7d27dd3fd07c6d1ae890c3a3a1b23c1f4662a0326af629418bfa589d3217ce8abca8c92fdf2dcac78d5e20fba81a3361829ebd4eedb52323b82c7ad360a516a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
329a2cbdeb4d360fd91b82b220ae045f

SHA1
42f895f1db526f64b7daf353bdb1bef8df548795

SHA256
4f49c31dc83bdde8db527ffe139ad3e9f180155f4ae9749eb539de032203d2b7

SHA512
9ac9f71240c1f8cca3f1a418656bf129c5622b32c7553e11eb66446ea9d3296394500e2f72f8f938589f9d92055736501269f1017d3e23f432cfcd16a19a1bf5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 221321.crdownload

Filesize
903KB

MD5
a9c4b5f963d8113b53949bde6a6ddbfd

SHA1
c83e3654254fe5536405bb4e4b3ac031e2000a29

SHA256
3d9f904a02486f17ffe4b777051fffe0168b2e8ee2e12e67d506c309ecc60191

SHA512
5876413b19d1ad22ea2eefcd4c566de3d707abbbe9f9353077ea98c08d037725caead2e22fb25c5552a258df5d458f9e604acfc311d80966c42b3abba18b0f7b

Download Submit
memory/5628-234-0x00000000056F0000-0x000000000574C000-memory.dmp

Filesize
368KB

Download
memory/5628-237-0x0000000005D60000-0x0000000005D72000-memory.dmp

Filesize
72KB

Download
memory/5628-236-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/5628-235-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/5628-233-0x00000000031E0000-0x00000000031EE000-memory.dmp

Filesize
56KB

Download
memory/5628-232-0x0000000000CA0000-0x0000000000D88000-memory.dmp

Filesize
928KB

Download
memory/5804-253-0x0000000005BB0000-0x0000000005BC8000-memory.dmp

Filesize
96KB

Download
memory/5804-254-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/5804-255-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download