hxxps://mega[.]nz/file/iRJUVYbQ#cYRA4_Sa7BpCEFyExP2PAduDWWOcP_MtOJldBqZ_0t0

Analysis

max time kernel
76s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/iRJUVYbQ#cYRA4_Sa7BpCEFyExP2PAduDWWOcP_MtOJldBqZ_0t0

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	R6 Unbranded.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000700000002329e-166.dat	vmprotect
behavioral1/files/0x000700000002329e-192.dat	vmprotect
behavioral1/files/0x000700000002329e-193.dat	vmprotect
behavioral1/memory/2632-194-0x00007FF623A30000-0x00007FF624272000-memory.dmp	vmprotect

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5176	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 725211.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
4316	msedge.exe
4316	msedge.exe
4908	identity_helper.exe
4908	identity_helper.exe
5852	msedge.exe
5852	msedge.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4268	AUDIODG.EXE
Token: SeDebugPrivilege	5176	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	R6 Unbranded.exe
2632	R6 Unbranded.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4948	4316	msedge.exe	90
PID 4316 wrote to memory of 4948	4316	msedge.exe	90
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 4020	4316	msedge.exe	91
PID 4316 wrote to memory of 936	4316	msedge.exe	92
PID 4316 wrote to memory of 936	4316	msedge.exe	92
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93
PID 4316 wrote to memory of 4024	4316	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/iRJUVYbQ#cYRA4_Sa7BpCEFyExP2PAduDWWOcP_MtOJldBqZ_0t0
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5dfc46f8,0x7ffb5dfc4708,0x7ffb5dfc4718
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17786097068446525706,6224754706010405467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x3dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Users\Admin\Downloads\R6 Unbranded.exe
"C:\Users\Admin\Downloads\R6 Unbranded.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  PID:1812
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    PID:3960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  PID:5224
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:5200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  PID:5252
- - C:\Windows\system32\taskkill.exe
    taskkill /IM RainbowSix.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7303309274995e9b6d3d499dca68ca7a

SHA1
e1b9787dd38aecef035d96e3cbdbcfe5dd1e1a77

SHA256
1af1dcbc63000cf345a9548ea10903b78e6e5792eb35083e21c504cf235a08b2

SHA512
741683868ffe6ddce7a3a9e336a5d9e333a82d3393c0ebaf02f79db3536a215ff01f052c68cead3e52d01a658559ddf115878610a953be47fc05c6ead058d025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f3a417ac611d68576912922fcb12e17

SHA1
d03e807247e133ef89ad8335b25466bbf7043ce9

SHA256
ec80056d57dc7d2368a2143b9b9d987dc269e8b67aa329ba91338965ccf70ff3

SHA512
5d02e9472ed95bebdb37158f7c7eca2ea289a12d9641c668030b98c2b952565d4783ce90bedb60af617d06fdd92eaf6b5e20b95ffe98c87b64801e89a4525e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ce8a5badfc01a4621622e5abbfbd1b8

SHA1
3b3d31c0bf550be8fdcf1bf8c098328478749d8f

SHA256
659820eb0a613e27327b584593292f4ef9b17b153eee8a67eb50d6d2b3a07a0e

SHA512
f0a4c8d61a7f5c6f2e00f14b2e550acd6c3db8e1f015a2ded483c76cf6460ae1f7dfaf7941acc49358bd92382acb4d6b2da41b0f83f92e27c3b5b1317468ed00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4d81649326746d3c6e9a391f65b3f4a

SHA1
03ab6c20eff221ee74e62cad915aaf09e6e1e9c6

SHA256
8de02e7bdb3d4376e45b5a6ec7232aa0e8e39f0484b0e0c906d6c35cdce4d36e

SHA512
f03d6cca7b5adefc5486b4fcc2cdcd3963117fd69c890536a62914e7643e9baf2fa60994e3709299d317ae14b95a39e8f93364c02f7695a4fda9a7a49818521d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
433eb44b03ce2e46381d21e484be158e

SHA1
7d56602569addbddbf91081a9db5d912854555e6

SHA256
c8f4d24f223785ea1ca593b5258e2c7e26cac947cb47b36833aa88bf28433aad

SHA512
049355c0396167dcfe7986114f5fa80a558307795b0fb73d6cca3f3ab671137a8c32bf948fdcd56c8f5708bff8c2c718ef193866a80ced75efee3ab5ee819ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b769.TMP

Filesize
48B

MD5
f19ffb53b06889b5aae3018ea24f3851

SHA1
6739268cfb389831fedaf73c3bd4dff39748915d

SHA256
1edb5d361961e0cf7e8f89f1afb35ff95f774a4f651f16ee6638db74492a3f57

SHA512
076dc51bdd44b70450b78c8c8840699811b3d66396dfabb08babc645529e9e8387cc3c9e74e160ffb1af77765a20fefddf5aa19ece2415671c0317f2b8a959c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fef9c0e3a557c19db838e5b38d2c7d70

SHA1
134458abf2780bde858636c98725c580e9a24c46

SHA256
ecaff8c17062c32a912c1ee434e129154b9c2549ee9ff3c95146d0cadcb1219f

SHA512
238274c1323d86847e1bda348f49952679cd78b8b769f47d0d54974d87e26836c210b7cfc025b13bd61dfd5a41c0044af302032e0354ce86148a734109746b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
601b3f8a5503aeb4538dcf73964e3069

SHA1
a14149724b6bb5609f3b6caa53d1d80f08d3d88d

SHA256
9a5f3e1524b6977cb51548b224eab4be3d01d98b313ac1b7a36075bbf247a2b3

SHA512
0acd308acee9d8cdbd7018568afbbb4ee0ea738f946b94e919c44e863ddfa08289c0d3c5087542da98c4f428105db76d036b32ca233c5de37f1e8bb0653f1538

Download Submit
C:\Users\Admin\Downloads\R6 Unbranded.exe

Filesize
2.1MB

MD5
5541401fef84287a8e14d3d80e987e16

SHA1
9927c9227e599195ff440baf68eddc09609d4ea3

SHA256
a05bb9265fb3c24c617af90ee5d0b5f690267d1df6ac034f9240016170915dd0

SHA512
92c13d1103f4158e4430f3c03f33e838f632561323f6a7e92b7caf15f42b18223f23f71dbeacb15a154d321f06fe683a1f7426b790b0ac95c6624b96a35588f3

Download Submit
C:\Users\Admin\Downloads\R6 Unbranded.exe

Filesize
4.5MB

MD5
0bac744ec7003990acdc9c849fe6695a

SHA1
472e274536202de63d7a043842eaa0d99772dabf

SHA256
eea0fc82fe3099d4e2687c0da4985fc119dcb94d95c2d0d74926a802656d3bb1

SHA512
45be1751ac07021808c28733a137967a70b3ebb223b90e6e66ef79c80bb039fa7fca262be59015d9c4c471e9e24f4f07fc2175c38c6e585b06c39745d7d92b92

Download Submit
C:\Users\Admin\Downloads\R6 Unbranded.exe

Filesize
1.9MB

MD5
fb594d0f649a564df6bb5cdb3ace1a68

SHA1
60d697e38ba05c35c67edbf2ade2173f5a7e174e

SHA256
f0b69a9113df673f0c611df0051bd167390d0e3a70d0833ff5cf0ea5eed0a898

SHA512
dbe86930ba571f06b77fb7664ebbdd8746786a174b452769363389eb313a3075e7752997315d863a528fb68b59b457c1f023989375dc0d09f369661afdc6b617

Download Submit
memory/2632-194-0x00007FF623A30000-0x00007FF624272000-memory.dmp

Filesize
8.3MB

Download