discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1311791400278429846/1320889087766429766/Loader[.]rar?ex=676c8ed3&is=676b3d53&hm=d03c152de1c9153f71ed656cb14896e2a5528e707bbc7aebe6ac21da570bff41&

Analysis

max time kernel
76s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1311791400278429846/1320889087766429766/Loader.rar?ex=676c8ed3&is=676b3d53&hm=d03c152de1c9153f71ed656cb14896e2a5528e707bbc7aebe6ac21da570bff41&

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMDc2Nzc4Mzk2MDcwNzE2NA.GK0gUF.OU9WbYr2-yq_nxwfa3gKj0PhdIzzZqHZ5u2d-s
server_id
1308451255844077600

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 2 IoCs

pid	Process
704	nx-loader.exe
4496	nx-loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
42	discord.com
43	discord.com
46	discord.com
67	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3104	msedge.exe
3104	msedge.exe
804	msedge.exe
804	msedge.exe
1168	identity_helper.exe
1168	identity_helper.exe
3008	msedge.exe
3008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2292	7zFM.exe
Token: 35	2292	7zFM.exe
Token: SeSecurityPrivilege	2292	7zFM.exe
Token: SeDebugPrivilege	704	nx-loader.exe
Token: SeDebugPrivilege	4496	nx-loader.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
2292	7zFM.exe
804	msedge.exe
2292	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2976	804	msedge.exe	83
PID 804 wrote to memory of 2976	804	msedge.exe	83
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 4572	804	msedge.exe	84
PID 804 wrote to memory of 3104	804	msedge.exe	85
PID 804 wrote to memory of 3104	804	msedge.exe	85
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86
PID 804 wrote to memory of 1040	804	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1311791400278429846/1320889087766429766/Loader.rar?ex=676c8ed3&is=676b3d53&hm=d03c152de1c9153f71ed656cb14896e2a5528e707bbc7aebe6ac21da570bff41&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4272 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,2536852017342286457,8370413305127798487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3764

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Loader.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2292

C:\Users\Admin\Desktop\Loader\nx-loader.exe
"C:\Users\Admin\Desktop\Loader\nx-loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Users\Admin\Desktop\Loader\nx-loader.exe
"C:\Users\Admin\Desktop\Loader\nx-loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Loader\IMPORTANT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1cb00e94-a304-4f7c-93c9-0bb8acc2c1f7.tmp

Filesize
10KB

MD5
501b89b717842c822b29c0c5449cd701

SHA1
bba29331f037a0c231459d8d5593433f9d51f40c

SHA256
6d29440ab7bb2cccd6f54a33891d7d97fe5046e8e1ae4cd54882707f4463fb75

SHA512
d28d83d33f8c5a84df4ac1f7a2c50e234feb3a016bd4c7089be1e4844a58dbca79861f4297760d48fc3184ff1e7e144b3ed2fabcc426a445b952ef0ec74661e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bf4d204d38788bb0592c344b06b87ea

SHA1
d75d792deb2962d308253d324e83066099a5530b

SHA256
ffcc1b83d4966b8c79326d5c0672640d18d19e1d9a17c295206e4b0982c6fc69

SHA512
7f8803866cb921e0e99637a86a223cfdca9ab6b9a497d9ee65a00811d04228c96a5f982e32554184bd475c0b481376507b986d786e4dd0637baf70c43b610b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c5fcceaa13d38b85ed5578cd32cc29c

SHA1
e06b95c8961fbe1119bcfff74f5102bdcd161c83

SHA256
c7375ee5bb280c44270ee39d7c42208effca073f3ed025f07dac4e21479615e8

SHA512
f8b4888892df097fa275f26664f4cfaf6798b2373c170b513d4058595e5fff1e31c35d4824091b29798903d56b99fdf8a624bcbf1b3efadba9b06f12fb0d4d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c93a85a3-04a1-4f66-b3f1-a4dbb3afeec6.tmp

Filesize
6KB

MD5
5d183aadbf5bc3768c5072ea700d644e

SHA1
2e0812bcb008cf7618332081eb3ecbce6ad1ae09

SHA256
e63990e24d98b8b3b1613818168e69fa049ff77e4c621c055b3f962465b3000e

SHA512
4bd87284d628d729d8375aaa580e3a7d8bd751ab3258404202e3a89edf6bf32cd28c2647b04e2feff9ad11669659e5ec94ee09f76307378174739a366b09d8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
30485135dabc65788017dc2857cdda95

SHA1
f99e2b8126cb305e1a0690622f4056031a3cb1d0

SHA256
335e8c668c532f1435a82e7aaf9c0a074aa6275796c3251f7794638949ecacaa

SHA512
3e5d046b78c38c844eb145aeeb874e6814a9c296c2c5807fe8500d313157c93df5ba6c701e1de51aaae75b8caa8201a405f92cfce66ae871d4a9e32fadc4a1db

Download Submit
C:\Users\Admin\Desktop\Loader\IMPORTANT.txt

Filesize
103B

MD5
89ff64b3942d7cbd0db340072665f223

SHA1
e35ed6238af2c2126fe466b73356fe65b0d450f4

SHA256
665eac141cb42bc97d56fe90b14d368fc6b81bf3721490480a4fc50e4e82a2c1

SHA512
a52a2c93d0507299252eb69b201163e784ce7f93b121a062d1518f771e141f4ec6ebdccd5c062f1bfe9ad89d8f88cef21f540b1616a9156c5f9ac07fde6d43e6

Download Submit
C:\Users\Admin\Desktop\Loader\nx-loader.exe

Filesize
78KB

MD5
a6a30e975f0a8c57c49b0bc7ae1caa04

SHA1
7f0dced40bf666e7c01214c2337ff287166a9c18

SHA256
9390b4487b194119fa49560182ecd199222229776fa2c383a08e8fca3f16e760

SHA512
888bf6281f6325aa51af774485a421de3d7736df19e8d3c7d399a6b65c207651e213a04cbfe2a0c588878c8c2858324744872e2c39cb68bdc347347fedcc914f

Download Submit
C:\Users\Admin\Downloads\Loader.rar

Filesize
26KB

MD5
9c469d823753e105a4db2cd70630bee3

SHA1
02b38ed11f5e933389459fd441f93bebd69ec4e7

SHA256
00c25c70d39db486386e81793433230061dc195ff1023b2fd3f7929d8cc83817

SHA512
7c9e93405d9be9c7e6eb66afd83ed673fa8888fdf3a6cc01c620cf49b46945682055c7647a7e4c84f127ebfddc6bad52e03667d38b2b005d008a9bad25c975c6

Download Submit
memory/704-180-0x0000024F3A160000-0x0000024F3A178000-memory.dmp

Filesize
96KB

Download
memory/704-181-0x0000024F547F0000-0x0000024F549B2000-memory.dmp

Filesize
1.8MB

Download
memory/704-182-0x0000024F54FF0000-0x0000024F55518000-memory.dmp

Filesize
5.2MB

Download