discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1255165018316476447/1255558363354501170/3CXLoader_[.]exe?ex=667d9158&is=667c3fd8&hm=950231c069ba69496d01d28eb6622c69dee3fc05e6d4b730213ed456c6c07cd1&

Analysis

max time kernel
71s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1255165018316476447/1255558363354501170/3CXLoader_.exe?ex=667d9158&is=667c3fd8&hm=950231c069ba69496d01d28eb6622c69dee3fc05e6d4b730213ed456c6c07cd1&

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NTM0ODAzMTI3NzEwOTMyOA.GFA2V2.Xn7ioNW4QOiq2qIR5-q8URTs5_7FhbdVLeLF14
server_id
1255347532347736107

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3CXLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	3CXLoader.exe

Executes dropped EXE 2 IoCs

Processes:

3CXLoader.exe3CXLoader.exe

pid process

5628 3CXLoader.exe
5808 3CXLoader.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

72 discord.com
73 discord.com
50 discord.com
51 discord.com
55 discord.com
71 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5628	3CXLoader.exe
5808	3CXLoader.exe

flow	ioc
72	discord.com
73	discord.com
50	discord.com
51	discord.com
55	discord.com
71	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 94077.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1644 msedge.exe
1644 msedge.exe
1636 msedge.exe
1636 msedge.exe
2080 identity_helper.exe
2080 identity_helper.exe
5372 msedge.exe
5372 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3CXLoader.exe

description pid process

Token: SeDebugPrivilege 5808 3CXLoader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 94077.crdownload:SmartScreen	msedge.exe

pid	process
1644	msedge.exe
1644	msedge.exe
1636	msedge.exe
1636	msedge.exe
2080	identity_helper.exe
2080	identity_helper.exe
5372	msedge.exe
5372	msedge.exe

description	pid	process
Token: SeDebugPrivilege	5808	3CXLoader.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1636 wrote to memory of 408	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 408	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 724	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1644	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1644	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1796	1636	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255558363354501170/3CXLoader_.exe?ex=667d9158&is=667c3fd8&hm=950231c069ba69496d01d28eb6622c69dee3fc05e6d4b730213ed456c6c07cd1&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9beb846f8,0x7ff9beb84708,0x7ff9beb84718
2⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
2⤵
PID:724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4156 /prefetch:8
2⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 /prefetch:8
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,10161155223467231467,9626644395767127636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5532

C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5628

C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
588e716ce5a37546d6745cfe16f4b5d3

SHA1
eadfdaec6a90d4397d0fbf37334a4d7aeaf89295

SHA256
850a50d0017667140c852d189448df57c7ea1c06f13c04503abb4b54a81ddf65

SHA512
dcf827e539ab93459e6828f9ada96d4b609e455f4630ed2306351d133be50943b6a2f03390d9c504e8faea250d732b6e7230665e8710db58d0bc3c6d46b62600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d16a7ba83b2eaa04985369a3efdd0dcb

SHA1
68ee3b8f35ae2059547e56522404d44b34db3ed1

SHA256
4cb81ff996723cb13e80daa7bcfaa697ed33bc645ed792545b23ce6d7ddb47d8

SHA512
66340e4780a6520ee589c23ccec92c0917e2fc39f75e521857a7ed44a4548d49f849508c81c03e7fe8ae4da946dc45213150c1493a99566fe1a8d73fe199bb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
df8dfad7ff8e7194e80505c63f74ec21

SHA1
89d7efebca3da497f6e8dad1ab160293530ad1d0

SHA256
405e7953d883972315ec2fec7f5cee35c20f2804400c26e0507523359ec0d2bf

SHA512
f80c6fe8acc1658476da9b22da511be1463d7625e3268eb89cc0367b5542a8280d6c7f89c273e3ea000fe263f82abe045d31fdce8a1abb8f48ec7b11cde5ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f75cb796f5b27b02cd9f9dfa5bf02f7e

SHA1
df611b89489ec5a5111ab918deb2d406eb1a4ffa

SHA256
42126ab759048542b4808c8fdbb3892d109259e726a1c0c47bc19afed64d8a20

SHA512
05b69d3288523b705e4fca488c9e94a9ddebdf8b6b7171242f4dd833d49307fd91b7906817519a7717efd9ea82c545159f108352ee9cfc33213b558bfe51eaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
321f95e0e9b29d32b761b718aa68c54e

SHA1
3f95fa2c82e68bac34b3d8a8d71cb98f8f953898

SHA256
cc8d6cb79dbc4e2c67addcf15a2f237704b082300439c4804cddf73d02db66b2

SHA512
e1571554dfe56beade0ba0fad362f1d78ecd5e1f76c275e3e5b4e88f4d78a8b68490d923132c92dce3b69c3e4c6bf8feb17e54f78ac394a66289a9c8995e1648

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe
Filesize
78KB

MD5
59c231f52b80f128a8f5ef1216980c82

SHA1
710bfdbca2cc26a856619808121e23160fae874f

SHA256
e8452a2ffae08315c802c2ac4de41ea328de6fed942890e0682d261e89391502

SHA512
93024af146d4586ada9410ba59f49811454fad40bf61349e99c5b4920449d5fcea3c70ba6a7df53b80464d61efcca708c22847f27f02be4ede4b97ce1678c5f1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 94077.crdownload
Filesize
481KB

MD5
ca937feb56a6a559bb76486481090a29

SHA1
ede94604285d5a3ea756ea50db5fe6b6b05d7187

SHA256
0c4b30258b007efee05b7f39fe6af886a8d1b1c987eb19db54c16bd7082abfdb

SHA512
61eb2830116a4f69f7a895a3754fedc74f089f3ba3bfd05dbd9aa922693c09a45ceca751f9eebbee296fe26cbb2dc01f32ac08d66c02693520a9eaad5e9a0437

Download Submit
\??\pipe\LOCAL\crashpad_1636_IQKEAOQGAVDVDROR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5808-85-0x0000016B1C1C0000-0x0000016B1C1D8000-memory.dmp

Filesize
96KB

Download
memory/5808-86-0x0000016B367C0000-0x0000016B36982000-memory.dmp

Filesize
1.8MB

Download
memory/5808-87-0x0000016B37000000-0x0000016B37528000-memory.dmp

Filesize
5.2MB

Download