discordrat | hxxps://mega[.]nz/file/xmk2SC4Q#2QY2HM4YDb0nAud9W6_GmX3g19wvNxluxZiHpaAPAvw

Analysis

max time kernel
35s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/xmk2SC4Q#2QY2HM4YDb0nAud9W6_GmX3g19wvNxluxZiHpaAPAvw

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNTEyNDczMjc5NDQzNzcxNA.G65c4P.4ewW0EqddWRZTMmXyWCauBuqjk_phtjLZwJiCY
server_id
1225115386102550651

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
3032	Client-built.exe
2212	Client-built.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 48412.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1716	msedge.exe
1716	msedge.exe
2280	msedge.exe
2280	msedge.exe
3872	identity_helper.exe
3872	identity_helper.exe
1868	msedge.exe
1868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3484	AUDIODG.EXE
Token: SeDebugPrivilege	3032	Client-built.exe
Token: SeDebugPrivilege	2212	Client-built.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1680	2280	msedge.exe	85
PID 2280 wrote to memory of 1680	2280	msedge.exe	85
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 4120	2280	msedge.exe	86
PID 2280 wrote to memory of 1716	2280	msedge.exe	87
PID 2280 wrote to memory of 1716	2280	msedge.exe	87
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88
PID 2280 wrote to memory of 924	2280	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/xmk2SC4Q#2QY2HM4YDb0nAud9W6_GmX3g19wvNxluxZiHpaAPAvw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1ad546f8,0x7fff1ad54708,0x7fff1ad54718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,4532611974026351452,12517958185871350688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1744

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
20c013e5cf75c82099c5f8548582db6d

SHA1
28ea3b14219ac5683e62e5fa23fb96cb173112b6

SHA256
6db0aa38c396bc0930b49eef0bddf191e261ae6f0f0a58efb8cc36033bb27502

SHA512
832db888e3b651f4139749a90d8fb0493493447920831066d2b59658d46365c07b06bc7b6ee3e6220d11de5f62a04caa16f72b7e2594630e485b74bc24ba5628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2813d3a250205ce8142f556451c41ad1

SHA1
2adbcd4b41fe9ef2b2fa77215bd5ec06da29c440

SHA256
e0765963c1572d46b1d68b2a08db78dfadee6eb2ce148caf84e259d752ce8d14

SHA512
a496fe88217fc31974238425ec9926e58869d8051f2e3620a8f13b0cac0c6fdcc0edfc309d8bc1edb19ff8942c795de782a2a6dfc7599f3279cc8739906b7509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6bb21daa6b50bc541005a29d565c720

SHA1
495bc421f5a7a864d753455fb4fca5ac43021c47

SHA256
d83a39f4a982579bc4878af1b38bce0a1d75408e899350006a7570504cb784e4

SHA512
3a2d38065098d479c2b4310508489be4baa6bab5b248e67efb4a096c082241eafedbe7ff8f964125dff42202ff62f4c0c7cf3e96d7374efc14cde9494e236bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f75f3cc30d07d63dc58ca2e4a2d31c2b

SHA1
48336e985e84b7e54feb1a011f3ebe2b9b2256d7

SHA256
3130570cd3f6ec01c96d670d41f72c1fa494f9e11dd560dfeba6e22e38268027

SHA512
ba7c53b98ccea77cea16853ddfaee7d7a8c800a27d39f4771a7285f229ba980b472f2d1864668e53268cfa02bcf87895353ca74494c0e8f211103cb578b3e39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579d98.TMP

Filesize
48B

MD5
0f5f9c6b3d94431def7e081b8e69933c

SHA1
29627b316eed520c5c0fa545513a1e3ecbf96335

SHA256
4fbd6e515f17cd5ea3c7b764b58fc317bbd05877f86e00b8a57b02526ab69063

SHA512
0c3d790a78a45165c2aa5e14348fd7e35ce45681b0838fa4e8edc716cb52085145c8ca38475b27833c458d19d5ffc35c6755508713f9acc24c55a086b0dc6cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8790170d126e0acacc629ac2912c3296

SHA1
775375fbe3c78660fde4d7c3e942c88953d4a4a3

SHA256
e388578951b97c522f7aea4f2bbf9ffe54c68bda2b8ded818265cfbaea97dfa7

SHA512
b4e2a2c3c1e872b3a10d46214437de4ebd1187036c8d3d8af30f89ed729008e2c6f4e09a820e3c44f5fb2ffc0254727396dd6f51e30d1d50202d9a259e4195e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6dc0e5686eed9a95a149f394429a090

SHA1
93598127a229ce556342b293f2a5801ec5574519

SHA256
5a06202937f3e3884e365455c55808f6592aa7a9adb0ed8057bcb9a59e402e60

SHA512
2266008607523c9d0d9125afec484b1fa9614dc27fad1b7aadd5adc90a8d9b3ad510d6059f4d1c81ec54c7364f94a668f345267a05cf4887d06d02577128b578

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
bdef4fc28df228fb43e71fce06b5c8e6

SHA1
2b3e507b53aa4607ede991d79815e80e367270e9

SHA256
9e8edee923883b68ac2202da754a82e38f073594ab0881c4363c3afdd3e21c9c

SHA512
892cf8817e483993d1334789e0fde328481b2ad99e135753ee94c1839a2097c8e99098ea98364b6807bafa7d685cfda4c76f3301eb6e1d82efd375ec7f2607b5

Download Submit
memory/2212-238-0x00007FFF07CB0000-0x00007FFF08771000-memory.dmp

Filesize
10.8MB

Download
memory/2212-239-0x000001FD0C190000-0x000001FD0C1A0000-memory.dmp

Filesize
64KB

Download
memory/3032-215-0x00000181C0180000-0x00000181C0342000-memory.dmp

Filesize
1.8MB

Download
memory/3032-216-0x00007FFF07CB0000-0x00007FFF08771000-memory.dmp

Filesize
10.8MB

Download
memory/3032-217-0x00000181C0530000-0x00000181C0540000-memory.dmp

Filesize
64KB

Download
memory/3032-218-0x00000181C16F0000-0x00000181C1C18000-memory.dmp

Filesize
5.2MB

Download
memory/3032-214-0x00000181A5BF0000-0x00000181A5C08000-memory.dmp

Filesize
96KB

Download