discordrat | hxxps://mega[.]nz/file/6eBURbAR#eGygDO0wuto5E9jztooha9aKHuwYgSbnpkigswwvt_4

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/6eBURbAR#eGygDO0wuto5E9jztooha9aKHuwYgSbnpkigswwvt_4

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzY5MDU1NzMxNzE4OTY4Mg.GH-1Zv.gKp0OHscLWVqxKq0aMEyVNzi583JPaoZa9f97I
server_id
1247684714903507045

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
91	discord.com
96	discord.com
55	discord.com
58	discord.com
76	discord.com
89	discord.com
90	discord.com
54	discord.com
78	discord.com
86	raw.githubusercontent.com
87	raw.githubusercontent.com
92	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
3100	msedge.exe
3100	msedge.exe
2244	identity_helper.exe
2244	identity_helper.exe
5028	msedge.exe
5028	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1108	AUDIODG.EXE
Token: SeDebugPrivilege	5520	bootANIGGA.exe
Token: SeDebugPrivilege	3760	bootANIGGA.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3944	3100	msedge.exe	81
PID 3100 wrote to memory of 3944	3100	msedge.exe	81
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1468	3100	msedge.exe	82
PID 3100 wrote to memory of 1964	3100	msedge.exe	83
PID 3100 wrote to memory of 1964	3100	msedge.exe	83
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84
PID 3100 wrote to memory of 3096	3100	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/6eBURbAR#eGygDO0wuto5E9jztooha9aKHuwYgSbnpkigswwvt_4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8030d46f8,0x7ff8030d4708,0x7ff8030d4718
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,18314128247616982207,5348863609480788624,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\Temp1_ELITEBOOTER.zip\elitebootertesterfree\bootANIGGA.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ELITEBOOTER.zip\elitebootertesterfree\bootANIGGA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520

C:\Users\Admin\Downloads\ELITEBOOTER\elitebootertesterfree\bootANIGGA.exe
"C:\Users\Admin\Downloads\ELITEBOOTER\elitebootertesterfree\bootANIGGA.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4f6aad91-bbbb-42ca-996d-271e7b56b5dd.tmp

Filesize
5KB

MD5
b9d386da078a2dccd20d3e02e94f6880

SHA1
4cfa598fec4643563ba98b938a6c0e25d0d9927a

SHA256
24d966ddd503f81b20d6deea4d16ff5f96bf315545205b8d2917f001b4980d11

SHA512
baca76edc302d286be450d4d840605731ab65e56a314e5324d66a49dcc375cba20bdedfc82c2bf7755c15477d6b66e0780c023509cdb5049e97ea3daf9f73337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
c189f509b2f3ef25f1bc28cfd7ae7a85

SHA1
939790a40d1f6d25247a811e6f7f5ef89df18294

SHA256
9f34028780f5433e6eaaf32784cc718eb1e2533272766376bc35bf4a512e677d

SHA512
96ea42d2ada9a7b537e854d898a5c9cb878fc5726293fef1df0f584083cd25dc1c56cda2cc4d13d8b2d6b2caf95e4e34c9c76ea16a8a2c63419830cea48fdde7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0403c92d3410450195b5b98af1c8f17c

SHA1
316647c7f252f13379ee9d00f7c13b7b7c2d302e

SHA256
da2f7d4879d935bf235e2ada6d12b131bfb6f50e18734998074bf5254bc70e0c

SHA512
5c05a93452ca8779faa1c7f9960c048689b081c540651aa579de535759ed871845bbdbdac911743a92ccaa3f15bce9a676e223b78fdb68e73db418ac1796ac38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2a03cc590aed759b07240c17dd0209a2

SHA1
31582eeeb5e26fa3dd294baf3e9ae74652dea65c

SHA256
12ffe0a1f3a091b9e9b3ab3b1796a1f537d9d0efde7ddb773a8d83d6a0c9bc04

SHA512
55d8c957fbc532c8087798bfbb86cc0033c1caa60ce27cbd78dd96e9c358b1cd44c8070eb206fbee8c95c04456135479f055376cf1e635d1373c4768022d7a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b229.TMP

Filesize
48B

MD5
4ece133fcbbe13eef78adef33bbd6d26

SHA1
632836a80b74b2400716bb307515b5fc47347f46

SHA256
20247946147751f9fc45b564dfb327e1a9be56b1ac8ce6d31052d880f3356720

SHA512
ab9f701c05d0902fe248a3030e5e2dbf4356ba01381cc8d2df4d1399ece7318f389d61268f69bb7965ff9ae156f8b47fff2cb9569d2fe9993feeac055da0dd2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c986df6d8df62d50f5c1f93ac8dd4b5

SHA1
2b906f320392eff0fd72a9a9d89b8888a9e15d4f

SHA256
bad97cdbaf8316d241a09b90b9922036e76debb70aa01769673729187745c888

SHA512
82dc68c552a501a27946c1a3c27cf7922126defdeb0489f23d65d1d9d5ce6261cfc1eaf6e408143463e9db08b3f93d04dbca03a29145245be149a047d3ca4027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9bce6dacac54e1add365007aff47072e

SHA1
9df03f676ae2927feaea4d16298712b450fe537a

SHA256
49fe2f1e821b4f6901b5a4e8ad1de19ee668f83cfa07af0313701a10447cb3e0

SHA512
77a9d896f734558ba4ab86c6509616bd631c8c24862cc9b79327c6cadb7ecdd081cb36722faee582da124b1e5bad9b3de62ce62016aec8fb69ab6b0146f2443c

Download Submit
C:\Users\Admin\Downloads\ELITEBOOTER.zip

Filesize
78KB

MD5
f8f541c5c8ba9381861b8db4e007f687

SHA1
b99068c633398e821c8842ece7a44f90f09ca071

SHA256
585ca993b3d2ff5c9871560d7b9764635883b31a64fbc45c2dabde9a7ef2452e

SHA512
e07b5bd81016ba34aac4e77cfec5992f82683f0bdf585283955772859ea842a807de2878e243b9b0d7e9aa79e80adc6efe7ecaaeb901e6d6eb89bec9e04ccd60

Download Submit
memory/3760-269-0x000002C4BD500000-0x000002C4BD7CA000-memory.dmp

Filesize
2.8MB

Download
memory/5520-195-0x000002CDBAE30000-0x000002CDBAE48000-memory.dmp

Filesize
96KB

Download
memory/5520-196-0x000002CDD53F0000-0x000002CDD55B2000-memory.dmp

Filesize
1.8MB

Download
memory/5520-206-0x000002CDD5CF0000-0x000002CDD6218000-memory.dmp

Filesize
5.2MB

Download