discordrat | hxxps://mega[.]nz/file/1bcnWbqK#l2XQ8mLHxa6bRDdEr_oqeE1fwL_2Qcs1QVMTFX33guE

Analysis

max time kernel
47s
max time network
51s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1bcnWbqK#l2XQ8mLHxa6bRDdEr_oqeE1fwL_2Qcs1QVMTFX33guE

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNTA4ODc0MTkyMDAxNDQyNw.GFMj2_.L5t6W3b9wOyjA5wOaj6wMiABq3OXuCnXDvHMlI
server_id
1315089186998456320

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5460	hx.exe
5652	hx.exe
5728	hx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
76	discord.com
91	discord.com
66	discord.com
67	discord.com
71	discord.com
78	discord.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com
92	discord.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d45087a9-e597-4b64-942c-495c7e94f78e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241209114401.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 698407.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
404	msedge.exe
404	msedge.exe
964	identity_helper.exe
964	identity_helper.exe
5248	msedge.exe
5248	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	4480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4480	AUDIODG.EXE
Token: SeDebugPrivilege	5460	hx.exe
Token: SeDebugPrivilege	5652	hx.exe
Token: SeDebugPrivilege	5728	hx.exe
Token: SeShutdownPrivilege	5652	hx.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 520	404	msedge.exe	82
PID 404 wrote to memory of 520	404	msedge.exe	82
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 4460	404	msedge.exe	83
PID 404 wrote to memory of 3060	404	msedge.exe	84
PID 404 wrote to memory of 3060	404	msedge.exe	84
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85
PID 404 wrote to memory of 4040	404	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/1bcnWbqK#l2XQ8mLHxa6bRDdEr_oqeE1fwL_2Qcs1QVMTFX33guE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb7fa246f8,0x7ffb7fa24708,0x7ffb7fa24718
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d9465460,0x7ff6d9465470,0x7ff6d9465480
    3⤵
    PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:5264
- C:\Users\Admin\Downloads\hx.exe
  "C:\Users\Admin\Downloads\hx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Users\Admin\Downloads\hx.exe
  "C:\Users\Admin\Downloads\hx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Users\Admin\Downloads\hx.exe
  "C:\Users\Admin\Downloads\hx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7524668798906115513,4065336545237039214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:6100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
14553b16ba78728dab883921f521e854

SHA1
d22f288174ffb722dbd29778aa58549f4e362aa0

SHA256
d4bdff9ae216ef3abb96e211894b86d9cc37b6feceb1043c34c679c7f3b7804c

SHA512
012d72217423121f3e9ef4a4c86eee26562592abe9db4b134ad2f682b527f4055f89d9fac66abefbf9edaeaa24d44d8bc6ecc64b3162d55829593ebd4fa85329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3f10a75462e61bcfec6986699add66c6

SHA1
c835c425686527ed66c2f4f50e6a66cda1cb5f8f

SHA256
05d95a514e844b23226e31fb7035de26cb43327b3bc689258f515f70271d40d5

SHA512
b28061bb73939d8640e8394f6ad52e31b74532bd6a2e1540b8d2712ba51b3a2c2f9bb2b6a109aff4ad7fd5737925c24edc7f7b6db2c2adbe098ab3b1c56f64de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba033d3ae9a0b72debc17c892df7a585

SHA1
b355cef27c273f91bce5edf383ecdb82636231b5

SHA256
aed0eccc0e629c42e5395092fe3b34a83f9aa73ad082a338a1d23f1735e0f5ba

SHA512
06540bc3364afb316a04ac72cfd3d261337ddcfbc0d98a09fe3da5c8de3b340d3050d6fbc583537176e25d2b9509a6e6d28422d51bd866374d7f6bfbe9ef5241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
800e0abb98583de2217785fcff02e368

SHA1
ce2f977667b9d1c2cfbdf6772d85eb0d5df542f8

SHA256
9862b77a46aa97a55c07c7aaca3e66a696a451bc792ccb61196cd085bd607394

SHA512
de59d7d1e0d1794c214bbc5b435d8067e441b25fa39230eac519c402fd80e043864ae1ae6e9e4ce05c49a113c8fe4c8f1fc34141691ea34d0c752f33b2ed97f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
393e51e15fd5a669a13e4dd0d3994280

SHA1
d9099ab43ef2578740b1286ba82ee74595692a58

SHA256
169071edf49b875c129d3e5921d08eef0e365661e5a355f5c3b699a641fbd302

SHA512
a031e46a4eb18f0d622fdf5b6d6b062215cb168e3473d3c6a71b8d910cbdd7a206c334f08d655ad67848534b37e4165485627b1f1e33a28411690bdcc1fdb36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581299.TMP

Filesize
48B

MD5
80d2d14923f7f17b4171a4c951a28c78

SHA1
6e61e3651cbedcc01def96ba16d411078b9ecf62

SHA256
b279328849d5b1f8bc394d8bf87b6bc1e362ae7d5f66cf73f0012ef777af7270

SHA512
0b6acbc7948b0a550081871c78f5a636361e6ea59708481378d6a71d7cdeda021b44bb01d6f50460f67878985d99d5e919964a6ca557b77c99bc57a7197cd32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dfdcf6f4-2616-4647-b96f-69738e174aaf.tmp

Filesize
5KB

MD5
9fe86b3ce98974443d25a7c37ea93bc2

SHA1
6e8045ddf95ec0259d89bc4407cec116dd54422e

SHA256
825fa8351b3ac841fd181575654517d3fc2461af142c6e652d7c4083732e6208

SHA512
2022df913046735d21190518194bc46efc903f24f58628fb155559ac3aa9c2329802af7c2d991100419a06d8191e136023f2f264946efbae33433ac93b5e7ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
89f2bd4741715dccc12787a59c78a229

SHA1
ec1a2c650c4caa2d161c0a1faa982bef5b6135d3

SHA256
26214f71df0c5afa213c0eff93ff873bb4e93e377ab1afabdb9a1cd511a0098e

SHA512
38baa8da7acc6a625b8c160d8f7b243d4616ad2a9c0b406307019fd05a51242a8acf438c70b8704dddcd92efaa470918f4a4a73a6b1fcb7a165db2f6a58332b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7002200b6905fc29b68e47ead8c88335

SHA1
05a71784e5a6e77e52dc19cc86aeb3a9fe9e9b0e

SHA256
d527895c8136059333ffd711793e1f9b91836ea4c6fca00f3f8ce2a134c1e481

SHA512
4fd938bab0b9f9e46079b73c9791fee6f93bf2df4551d6292f161ed79f7df0c594fe41e28cf2862f63bb72786d8199e9ac8a2d46051fbda28e5f7e7e18e82975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
af63281e703ab8c902288940551abf5f

SHA1
b8e40f81a6d9a5b537e58802c0fa258b46fb05a3

SHA256
fec2bcc3607df4316e599d590f890e7a782304ef15f56cdcb39ba01249addf68

SHA512
f6d7a1161717f4960499424fb256adb280f30196e2060c8e2cd82632ca952d9bd5207aa5b655721b20add29de8d0e2cf8f9e129f70a9343af6d01c2782be8e16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ec79d617f41ac8bcc22117f849f6ed87

SHA1
3d21b4360e2d0a85381101233552fe84396e03a0

SHA256
233cfa98c1c1082c6fefa2596bb86b5f0523201b32f787a5e7e625ded284d420

SHA512
59b69a634e314c2591abbde74e201442841f4f9c6c3b787c79011bdfb5507ffded27579a467350c5aff00c9b5afc902918cca17289f59e0bca868caf6f7ca57c

Download Submit
C:\Users\Admin\Downloads\hx.exe

Filesize
78KB

MD5
a1ad602f763d1c8058400df1b9d9caf0

SHA1
a5cd3f1b5317c6f3e7fdaf19123045f2c58c539e

SHA256
39f97437dfc500398ad3e624f84d1d3c53b0fc707a44152ad543d62133a58e32

SHA512
a2d129780083330e524b7918988a48c89dfe438ff649ad48400ea7f4ea190dfb1a43b419d0aa3db626fde6d7acf7e2b3bb1c0b88232e767d476707314d0834fa

Download Submit
memory/5460-309-0x000002828DB90000-0x000002828DBA8000-memory.dmp

Filesize
96KB

Download
memory/5460-310-0x00000282A8210000-0x00000282A83D2000-memory.dmp

Filesize
1.8MB

Download
memory/5460-311-0x00000282A8B50000-0x00000282A9078000-memory.dmp

Filesize
5.2MB

Download
memory/5652-365-0x000002AD795A0000-0x000002AD79616000-memory.dmp

Filesize
472KB

Download
memory/5652-366-0x000002AD76F50000-0x000002AD76F62000-memory.dmp

Filesize
72KB

Download
memory/5652-367-0x000002AD76FA0000-0x000002AD76FBE000-memory.dmp

Filesize
120KB

Download