discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1207434057038958613/1213583919073468466/eulen_by_zesk_1[.]rar?ex=65f60119&is=65e38c19&hm=3f59a8c1364cdc49410fc3bcefd8edf58f9c93598daab0e9796c5bfd13c33b9c&

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1207434057038958613/1213583919073468466/eulen_by_zesk_1.rar?ex=65f60119&is=65e38c19&hm=3f59a8c1364cdc49410fc3bcefd8edf58f9c93598daab0e9796c5bfd13c33b9c&

Score

10^/10

discordrat persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzU2ODI2MzA3MDY3OTA1MQ.Gb4ha7.Z_jo3j74ZphpFTAOS0awTkjb90p6B3JbJQ4Bms
server_id
1213575249237639189

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
3972	eulen by zesk (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
64	discord.com
77	discord.com
48	discord.com
44	discord.com
63	discord.com
65	discord.com
66	discord.com
81	discord.com
43	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1081.tmp.png"	eulen by zesk (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3608	msedge.exe
3608	msedge.exe
3596	msedge.exe
3596	msedge.exe
2332	identity_helper.exe
2332	identity_helper.exe
4180	msedge.exe
4180	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2252	7zFM.exe
Token: 35	2252	7zFM.exe
Token: SeSecurityPrivilege	2252	7zFM.exe
Token: SeDebugPrivilege	3972	eulen by zesk (1).exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
2252	7zFM.exe
2252	7zFM.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2544	3596	msedge.exe	90
PID 3596 wrote to memory of 2544	3596	msedge.exe	90
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 1380	3596	msedge.exe	91
PID 3596 wrote to memory of 3608	3596	msedge.exe	92
PID 3596 wrote to memory of 3608	3596	msedge.exe	92
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93
PID 3596 wrote to memory of 3652	3596	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1207434057038958613/1213583919073468466/eulen_by_zesk_1.rar?ex=65f60119&is=65e38c19&hm=3f59a8c1364cdc49410fc3bcefd8edf58f9c93598daab0e9796c5bfd13c33b9c&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd64b046f8,0x7ffd64b04708,0x7ffd64b04718
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4116 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\eulen_by_zesk_1.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\7zOCC886707\eulen by zesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\7zOCC886707\eulen by zesk (1).exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17581141706017077505,710411926726793105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f097b703f696946f8630a8f256633f1f

SHA1
d7412a7f752b7e4aab2cfce547a912f11be83511

SHA256
6c4c6e3cfb183d53f01d5bf09c2d4e89808ba7aed59736075ad02f5c2e9b290d

SHA512
8e91df75ee8ce67b2fe06af55f71ccfbb7303ab317e71c7ea0f9e49cebb225dd4a7b05db8b6dc1f8be60f474adebfffaf0fe5bc66a99f1d30ea21f0ad1a6478d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2efff4061a6b781cc9401279c4cbb0bf

SHA1
01f2a7cfdeed54df1aef90db1c2bb4eb9fa50191

SHA256
d8ab675e6682d46c5ebeebc9011983329d15cc94aca841f98899b564c2b070ab

SHA512
669126029e82af92db83476bb7f90889458b33084a5c05c8fb555311b66d9d71c01ef83af9f4d265ecb5240755f5c3c18a3bc5193baad1d6240b2e038352dac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d74f6b38412214b160dbd4b342c00ee9

SHA1
2fe15b83fb88d1fb6d60370d36f9471bf0d221a4

SHA256
c2e4b24161180462a87eea147c03cdf23ca0a6c190f312d561513965b41a6cfd

SHA512
140af89d81e7ef88fd1b7135671a0ccb793b6084464a1160693a141b9dea4bcb19d90d9e877c5504c0ee387b7f31f81839303e45d17e4f3784f3354c49892303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5cf17e68948d2f1d24229f4e32f79ddc

SHA1
97d09156bf08d0131366fb2ee067477dc495f856

SHA256
1bfcc0406a6e15b71ef3d7e568ad54bc7f956503f1f0e455f1819e7d3a8cd2dd

SHA512
0e25381a1ca11639bb8686bc2bd159559f8d79bb08933801b2039b20081a07aaa9be62f2ecfd2ca446fb971dc379e95291fca7ef56dd3c80ad44c600eda80697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c02f90bbd27280e891f4e7623e4c018

SHA1
75cfbdadaa8846c8f118e703576bbdd430d846c1

SHA256
a4456ced88a36080a0a6241b634e1c4643452741c509e5dc43f4b30da7cd6623

SHA512
e19c864f091aff3598d5210c28f9a18d4097437b422bc905a8d52dd7d475534b95854901ad9aa1c7da6fe1eafe54fef3360e69f92c979e57c21f45661e143f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCC886707\eulen by zesk (1).exe

Filesize
78KB

MD5
2f8ebf410b5f7dcdcb74896cf39f5913

SHA1
602391026babea06341d7b3679062afd3a3dcc31

SHA256
2d7c90f221ea2287016c50613491b24d7e3eefd35778e3a8e417f5459f184dd2

SHA512
24c3d92a771e32eaeeb1892c92be555e444e332d759ca6e037df145ceeac79ef1ddca74147d810b16b7c1453539de4ec4a2590f16e2c980b0670485ee0b6514e

Download Submit
C:\Users\Admin\Downloads\eulen_by_zesk_1.rar

Filesize
26KB

MD5
21aa5cd098f26bfbd980dbb6f6ff96d5

SHA1
dd859088a73e8bdda5be5a4a18a9d04c829203aa

SHA256
5f82eb400042a4a63f5188d1de3f85192003b867e62e3340db971a2a578212b6

SHA512
0d52599708ac165a1430a3552e67c58263dfd4424b4ccc4c20914d8cb2bf03cda5f45d6b157c783d48d90308b925075ff59b7aad5cce0a17d7adff8f4cf1c3ef

Download Submit
memory/3972-73-0x000002232C080000-0x000002232C242000-memory.dmp

Filesize
1.8MB

Download
memory/3972-75-0x000002232BFD0000-0x000002232BFE0000-memory.dmp

Filesize
64KB

Download
memory/3972-74-0x00007FFD52670000-0x00007FFD53131000-memory.dmp

Filesize
10.8MB

Download
memory/3972-76-0x000002232D540000-0x000002232DA68000-memory.dmp

Filesize
5.2MB

Download
memory/3972-72-0x0000022311950000-0x0000022311968000-memory.dmp

Filesize
96KB

Download
memory/3972-98-0x00007FFD52670000-0x00007FFD53131000-memory.dmp

Filesize
10.8MB

Download
memory/3972-101-0x000002232BFD0000-0x000002232BFE0000-memory.dmp

Filesize
64KB

Download