discordrat | 2f294b7dd8df80c19dcf8e338049f55787492e70e39eca8f8dc731b3c6addc83

Resubmissions

11-01-2025 03:20

250111-dvq1ba1mey 10

28-12-2024 14:10

28-12-2024 14:06

17-12-2024 17:57

04-12-2024 11:26

04-12-2024 11:05

Analysis

max time kernel
789s
max time network
446s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2025 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badassfuckingtien.exe
Size

840KB
MD5

264db47eec711ef618870219832e5dfe
SHA1

116d2ff601d6640d3fe24fb67492ca2c82d9bbd9
SHA256

5c8b1d9c70780e1e669b4b34b0e190f6a691b8ada42179e248513feafe5b9ee5
SHA512

1672cbd9273987fd2d3cb1f843e2e28bb4c107913e0d1562ce6cdd7a403ba40e1bdd05647f3d89b0b00a8dff8328c9fad342f1b771ee391990db6d4855d8ad56
SSDEEP

24576:9uDXTIGaPhEYzUzA0q5VR0cNnns+UrZtb5jpXw86qh:gDjlabwz9iVR0WnQZ5xpA86qh

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMzYwMzQzNTY5MzYwOTEwMg.G0k280.tlujv7Qu1u6uHZMDdDCuyzSTaLQITkGmfU0u3s
server_id
1312325986385264681

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2752	backdoor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4284	msedge.exe
4284	msedge.exe
1764	msedge.exe
1764	msedge.exe
1472	identity_helper.exe
1472	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	backdoor.exe
Token: 33	5052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5052	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2000	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 2752	3152	badassfuckingtien.exe	77
PID 3152 wrote to memory of 2752	3152	badassfuckingtien.exe	77
PID 4284 wrote to memory of 2228	4284	msedge.exe	85
PID 4284 wrote to memory of 2228	4284	msedge.exe	85
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4816	4284	msedge.exe	86
PID 4284 wrote to memory of 4940	4284	msedge.exe	87
PID 4284 wrote to memory of 4940	4284	msedge.exe	87
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88
PID 4284 wrote to memory of 4496	4284	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe
"C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa99473cb8,0x7ffa99473cc8,0x7ffa99473cd8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,15660790997711260151,12121402504408935634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000470 0x0000000000000478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
adfeba13bfd12388a25cbc3c798ca1a0

SHA1
e15930c92cf69ae7d49036b1f924aa14c065f8cd

SHA256
35a690a5ccbc9952fb17047f35805f73baa866dbc750bb3ea5d04aa521190b1d

SHA512
adbe75bffca935a23ac1d1c0b4018dc76f1da79fb9e0f4bf58a39956731cdd2365b265da9cf8fbde2ddb4a23f27ff1eba42b81f07731efa484ce396d3764f2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
44a35277699aa2b9d90c179a99d7be97

SHA1
ef9bf289bf76559a47acc18fbf71fccd20fecefd

SHA256
b6aca2527ef2e66e13345f873aea2ddbfac414f622f5a362e2ff8fb8edfdf818

SHA512
a7e087f6a3cea32f318a6b8998f96393fce36342117c6a95565563e17eb45cfc4141ba74a12a52716b9e41ff54f4a2226baa94e845b7cf73b49a4645a614dc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e94f8fe8799cbffa382d1f6ff6416c41

SHA1
9758810209efcc87f2cbf52ea050ac8a82aca6e4

SHA256
f49d628f4c60296933e014caadb805ba4fc04a8fcb3389da79f9eccfeb929a44

SHA512
80a43da2f4dd45c0c67441e295e910a0ef7627c33dd84f213061150ae2d0a62d2ddfd4519503292e93fcaa9ec013102e12a38049854a9d441e9f3b99343671bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f77612e6357cdb6f803132cd88b9b4f

SHA1
88dbe65445bf0e1250f2303d7e0438b69b83d97c

SHA256
ed8fc234210566d693e29ecbe7f66ec1107bd2b0f4251c8b54029da49269c94e

SHA512
2b672aab8bec3dd8937f314b29b9b328051febbdfabf6060d0390d1921f9dbae64eab319eac2f83e968fb304f011fea6b55c68ba5250f87e6a2db5a7b75334a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d8887f956ff3db400ef7a0aa8415c53

SHA1
8db2a3f2be3582da2247b8de5fb075aa52cf3151

SHA256
7bc8c381d79fdeb81d384d2a0b845c8c40e36cf9830c3f01fc36f2278e41f4bd

SHA512
1c7b5483eb4bec9346f39cef05996fa786c2a8d3b15dc2b94d34675bf2fbb71c4eec6a6653ed13cb25cba47e401131b1daae39b633a50e240b1f9ada4f6eec8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69be8c4e196e7afc299d00b1f6287c44

SHA1
c3f03ded091d00d9ffa02c90691a11da71727efa

SHA256
94a6a3fe7d2a3fe94ec68ba1d4fdca5e13e16206e55ff91e634c9455d0871eee

SHA512
096f1bf499be7c4be8b327e441b67ee939d37e197b3f46d847bc29142cc0fa1c2b4a9413047ab419173f373ce4fedc80f97a68eb47cb681b982dc2fe5cab7a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0daea8f4-b451-45fa-9cda-89dee0860386\index-dir\the-real-index

Filesize
3KB

MD5
c01edc6a1258e2dd24ef1d509b0505e7

SHA1
d27db5fb7f385933acd380f4d2086cd8b5f7e96a

SHA256
ef6b0a7581940f2ae777d82bc5146cf2ce4f98276d5463d5ea882f9d3bb4bd1b

SHA512
65085530a7acddc5f087666424e9685e49a0f7406f55fd4817a5e9842a505d1647c63af9c7f901cc74f813d557b870efd761129c80d0ee4d094d0edf761859dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0daea8f4-b451-45fa-9cda-89dee0860386\index-dir\the-real-index~RFe5ac370.TMP

Filesize
48B

MD5
eca191a36dcdc39fb68f9c4b9b24cf7f

SHA1
2b44bbd12caae283027f9e70e956089b14886303

SHA256
ea1d2d1e1eb5516e03a5372b44264974ba5baaff46a103b498cd99cfcc7f9495

SHA512
6d5c6d8998a870d96fd89888cb4320653ddd4c0e7d2aec668446696901398836fe11266f80c1ffc998eeebac70de9675801edb07d8e8b3d6ab6a9d7d26e8b9f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1eff5a47ef503bfa93f1eb034fe72f34

SHA1
05d9abb700970cb1e6ef2a4b9104c6f3748c1574

SHA256
0bd2543abc9554b001d181a206c738780d0e31bac3ba711f7ad150b57575f6b3

SHA512
53753f227cc45a90e3f882d23434ce0d1ae7d085b7d4c73eb60ab8e7a5f05a64183b7665c5730cd6d43758bec7776b0583541300b93e183901e31d1e8aa75ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
26e188f75e0271ff71c22f49ae0b2f5b

SHA1
9ae990c284c7f855bc1947c0e4208f672dba450d

SHA256
85273fe661b3e8c361bc34fc6de88d03fd239fbc53bb80397f3e2165c57481f7

SHA512
01e9cfcd89857e565d6967851ae93f3bf4123c7d49d06d4986625fb3faac95174ae1a5098b7febdde2796a092d9028f081e8a7a960b4791df00fdc7e52faa70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
0ed831458f7912055ab2c738aedee8a9

SHA1
52b4329ed0bc6fdf4751148924931f9c13b63c79

SHA256
9335be2f336b6cd0903a232dfec0aeea0fea5dd5a24c6cdb264170c9d7857311

SHA512
b3a4eb4e060f64c610de6ce001a7e3ea1e89666687d6ffe7ab4f8897bf8ef015b520cf15e6ae3245e67399fd4a996318339dd68b79045fc61056677f1172a553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
2462404f5851b11a1f10bc138b851231

SHA1
2c68f06a00312c87e8f7e1b61fc8310ca563df0a

SHA256
5d1036364a7e1e2dd20ced3258f8e1f0acda0295d5e3cb21fac05500382d5567

SHA512
502e9f50e506be78268dd2c3581b2c7e17460dda8ec20f7d04e193aabbc5406fa3b6de8e87fff2222a25cb2f93df9d7eb29ebdbcb9cb768d01e3b98697714152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c5f11fb14ee4e6d1685eff7620acfa0e

SHA1
94954c0c8996502e9e9a832dc07b8833d1b6b65c

SHA256
762541fee25e1d0a79a0cd9a6072dbf0c50831623308344a930e840ca08f6b70

SHA512
615f5c4bece8e6cebd32d294bd0a5fab5da93e200a365c2140d52af8c8981d0fffacf2ca84d79993b4209dfa3b51299cca4b6d13f85b44e9ef080fd2c7c1fe7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ac0e0.TMP

Filesize
48B

MD5
8554a70606397423a967867dca876cb0

SHA1
435f0551d84b78bce18b026f304063b97409f566

SHA256
032a3cbe24a9b01bc7acb8602ffd1cb659786be96f0bf79b244a3a4bd0e33201

SHA512
03587859099fcfde2665865897097dfffe7b7a6d282e98d337267d1a96e143382c463180e6262e6aca9f6dc73e7b4967d9d610d0e1d98d07339f8298a76c5ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
e5648ced8f40447649684075e0a1fb2c

SHA1
09036209d8f922beef87e21fa9ee5dc9ca4971bc

SHA256
fca7289c6650ca5aecf7c9191fd22c66664fbb81d3491bdfbd2aa4311e962a80

SHA512
363375fa10bd8075820cd8102e6ce2e04cd19d53965face52149625768266b0010f7c96041c7b54f7bd58cc2553f1ca5428a14387d0d395fa60875536b36d297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ab99d.TMP

Filesize
706B

MD5
a6e34b0eec30dc47958fc19e2818b9a0

SHA1
05122cc25f4115a636ec1962a308301ee0eb6417

SHA256
59dfbfe537699fe3df59a203baf503a706caf0c5b455dd05504010dbde7b38a2

SHA512
93641783493241d769531445a61bc76411777e79fea7c113f05879df0a4f9e5c17810c895352f2327fb0fb6c12c1245e7aba4bed9748ec9e4ebb1f2655cec59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0acbe7cfe6ddbcb91faffff73f1c31db

SHA1
ef8c466ebd415687cdea573fe2a34b4440530b2d

SHA256
2c8a84cb9c204edc4b646d6e29bb950cb4b2f58029403aaface1f11c8b976bc0

SHA512
3ce07d592e6adfbf2e56e6b6fcd8031718214502ef948196619515ea2aa7d22ae2c9470e2fd3beef9436573f255ca05bbc39e030e46f83711b4ce46f8c23aec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5fa9395003d64cd73002944c32acde61

SHA1
a737791e470bbc64097f395b6ec34f638baad9b6

SHA256
93ccd06f25cb35fd42628160d25d20ad8c6aad6d187c04b6c26d6a6f236e8181

SHA512
4bfface8ccb35804c746a500b55f06d7d3756616d191b24b0cf958f07840b10cb6821fcb5ba0b38ae12997befb881913f52ce7a5ea3c67b422a94520a8337450

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d91dc2e3-a6b4-47ac-9892-d8a80d214f65.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b7443e89f0cb29d51ee6a257750e54d2

SHA1
84127eebf275e781d5276af6fc4d09c5a6bfb7b9

SHA256
8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26

SHA512
446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
83584a62c33baae3be8b48c32ae4acb6

SHA1
9bb68ea8bb9f2c2e54d9a0efff4a66a512ac90b5

SHA256
56bc5859994282eb5b672c9b27c2ef7cad232af34c9033077a949b04d6c55c58

SHA512
554caabadea24ad0c2f0e1c55632d76b12e2f19ce506f5dffa39f841e35d263bffb001e2f6ebab043070794f97f988802e3db086092e28f262b36569ed8c7d79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2752-28-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

Filesize
8KB

Download
memory/2752-29-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

Filesize
10.8MB

Download
memory/2752-20-0x000001DA81660000-0x000001DA81B88000-memory.dmp

Filesize
5.2MB

Download
memory/2752-19-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

Filesize
10.8MB

Download
memory/2752-18-0x000001DB001D0000-0x000001DB00392000-memory.dmp

Filesize
1.8MB

Download
memory/2752-17-0x000001DAE5D10000-0x000001DAE5D28000-memory.dmp

Filesize
96KB

Download
memory/2752-16-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

Filesize
8KB

Download