discordrat | hxxps://mega[.]nz/file/kq0FXZSb

Analysis

max time kernel
249s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/kq0FXZSb

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1ODA0MTMxOTQxNTA5MTMxMQ.GqfyeF.fEl-HL4JSzyg6MIoozkAyI6_7QYBQmG1Ozvru8
server_id
1258030940161052833

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 7 IoCs

pid	Process
3928	LightWorksSetup.exe
4368	LightWorksSetup.exe
2572	LightWorksSetup.exe
3064	LightWorksSetup.exe
2796	LightWorksSetup.exe
3228	LightWorksSetup.exe
3916	LightWorksSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
79	discord.com
85	discord.com
93	discord.com
88	discord.com
96	discord.com
101	discord.com
103	discord.com
74	discord.com
75	discord.com
89	discord.com
83	discord.com
92	discord.com
98	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 691598.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
5104	msedge.exe
5104	msedge.exe
1384	identity_helper.exe
1384	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4112	msedge.exe
4112	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	4236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4236	AUDIODG.EXE
Token: SeDebugPrivilege	3928	LightWorksSetup.exe
Token: SeDebugPrivilege	4368	LightWorksSetup.exe
Token: SeDebugPrivilege	2572	LightWorksSetup.exe
Token: SeDebugPrivilege	3064	LightWorksSetup.exe
Token: SeDebugPrivilege	2796	LightWorksSetup.exe
Token: SeDebugPrivilege	3228	LightWorksSetup.exe
Token: SeDebugPrivilege	3916	LightWorksSetup.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4456	5104	msedge.exe	84
PID 5104 wrote to memory of 4456	5104	msedge.exe	84
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 5108	5104	msedge.exe	86
PID 5104 wrote to memory of 3920	5104	msedge.exe	87
PID 5104 wrote to memory of 3920	5104	msedge.exe	87
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88
PID 5104 wrote to memory of 4668	5104	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/kq0FXZSb
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd44de46f8,0x7ffd44de4708,0x7ffd44de4718
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,14195172292489756687,14881597155085033950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Users\Admin\Downloads\LightWorksSetup.exe
  "C:\Users\Admin\Downloads\LightWorksSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Users\Admin\Downloads\LightWorksSetup.exe
  "C:\Users\Admin\Downloads\LightWorksSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Users\Admin\Downloads\LightWorksSetup.exe
  "C:\Users\Admin\Downloads\LightWorksSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Users\Admin\Downloads\LightWorksSetup.exe
  "C:\Users\Admin\Downloads\LightWorksSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Users\Admin\Downloads\LightWorksSetup.exe
  "C:\Users\Admin\Downloads\LightWorksSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2368

C:\Users\Admin\Downloads\LightWorksSetup.exe
"C:\Users\Admin\Downloads\LightWorksSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Users\Admin\Downloads\LightWorksSetup.exe
"C:\Users\Admin\Downloads\LightWorksSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de1d175f3af722d1feb1c205f4e92d1e

SHA1
019cf8527a9b94bd0b35418bf7be8348be5a1c39

SHA256
1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

SHA512
f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
06b496d28461d5c01fc81bc2be6a9978

SHA1
36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

SHA256
e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

SHA512
6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0bbd0d55eb5748fa6993f1422f7b7cd7

SHA1
945245cdc520e20e6c1c0e93cd0d974169883301

SHA256
32d97d266bb4c258a1b36af07e20d96228c49592bc12398d09d1ffe87f999c5c

SHA512
ab8e7241ed403af0a52e39a4ac85ea9c815b4962edbb96ff29a34db30fdc7860d92d24c51fb63f4894aeb613bc80c6a519736972417f83142d01cc25e2b93c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e225ed3a7906086cd5216464aaa66d22

SHA1
1503d8b91629fe4361627f43d6acd7034ed2e4b6

SHA256
c41d2a4ed5d6425cd9cf4f7475e532fc39f52130f773ab6933c72b7832248dd3

SHA512
69c5e9c2562bbef86b6b4a301fd57f511b659248091b3eccbf6a81a31b5088388ae5ac13ab042b75b7796ff8053bdb9323892f00bb6aabc0c38a0e1fdf2997b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8aa4e62922b2ea25c281e86449dee8be

SHA1
537ddd66304ffee41c44c5ac9d883f24ed3061fe

SHA256
7a14ba344737fd0f8a2505b421615d26615ed0899dd51b31d8006074df8e3689

SHA512
dccbf1dababbacfc7595336e1976c9a6cbbf7ea7a42367a0b80a8f2002d006c85864e9f0de70e9dd94153d68ba041836d80ccd647105e440083aa6c27d7349ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a67b585d4f20534dbc61e7bb13c5aabe

SHA1
47f6b1854da1833e83d682c4bafae5a8d69a4a0f

SHA256
dcf3de3599bb47cab555f4be3c16c62be67298d5c60315d10a1f4b7520cd0bdf

SHA512
1a5273b0a6cc6a505f3a81dd636ba838ad58810d876474275dba90e311e02299cd0127801831e2d8079b53d2f92c09f55a0437cb189696fef1810aa7c8db750f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4ac5204ca6aa36d5e2d47dab265b255

SHA1
2b1e143ca1f3b594e563b8bf57d768df31aa50ac

SHA256
515f6459dc24bd8c662c06d73f50a5c8bca8761320ed5f1a115511b66912a3ca

SHA512
54ebc3c8691ae5983b84b15d09a47a7f33c72319e2563029875794ba812ecfb5f8ba7fca9307ce5ff42b0b066910f5bbc8165171bb9c76e2bcfaeffa4e4e2f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d4e3dd467506e38e3807bd66424d381e

SHA1
3e7a18cc0d7108654517a4f2be4927bfc0e44af3

SHA256
f4f36c7ce09fdea934f74b059946b9b43b74bb5d3cd71a9805052e4eb0f33017

SHA512
d5afa60cc15f584fde7ae3ffeda073c8f75ce618835c1a942bf05e315fbcf05109f5ad77212905d91009566f7d6d830967d74859d2e2cc9ba39d1a408a30aedf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583208.TMP

Filesize
48B

MD5
83e42cd4c382b5b3d15405a01e80836e

SHA1
8927dbee6c21f189fe68124fea8a709756ef4dcd

SHA256
c9bb37f134f80672dc9f4bee0c85b89850713410a1999a8278ce72f7b68ad7ff

SHA512
47d9691fe559124a11d54042a65115fc0574f33694ad2fed2efc953136d9b947ff602756ad38f0cf09226e46e8caba117905368c5391a5de9ba8c00e27d05622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fbbe557e11d4298c210ba4c8dcf3bc10

SHA1
7de3026e3de56d9633573109fedbceb4e4e5e1b5

SHA256
5c29db87c9724820ea3b2ad15b10e30bedd956cd11430733553df5fd5a8e242b

SHA512
6ca0ace5560d207e43cfa939314de636ca7cf13b40bea8d04ef2f1815ffaba925dde84d06bf4b6da9a3720bfce4a73f7600596511dd9ae2f5e12068a9aa6d91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39b2bc5b7398bdd533696c38fc17fd82

SHA1
c9ae72771222e0cc438da5e7ec902a34811089b9

SHA256
72e2ec55514c1e0d09608711589431b1e0852b5e2f111440e3a3a163d831f8ed

SHA512
655f9d1b2540bd32685b7d03191a2f54034fab9b30e027ffb9ff4c9ac4e09b5ed4ea97817f3498ab784bcc41c7c07ffbcb2f520a0fb41de085d03ab7187f0e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2697e5810ec9dcedcdd1ed10abe0a380

SHA1
dd22b64ef6ee5aab3935e4f38e613327cde24eb9

SHA256
3eba97436b5fbf51af2ca8fd7cfd20f794c9b13e1afe568b7ccba399b13ddfe1

SHA512
70c31212610349dce63b46c92f04316c5bde8e393261b0d747ca0f628065c2d65b4fde6c39491e9bf65d242d9af2537099babd5141e41ead72bfe3229af48f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\LightWorksSetup.exe

Filesize
78KB

MD5
3db91f4e92c673d99ab41c7ac4943b31

SHA1
de8102b435168e71deefab5c1172aa179903b44e

SHA256
e35443c6d578500cc1910d073f645249a292c3e9a5c87e6e7cd6d07b291dd267

SHA512
23dc45e3f63496cdb1cdf7a6d12877d68e5dfceb4a5a111a43a58d894fde38e882c5a8c9113d2ae512c03848ae63d093c7bf8ef9af186ff24004def3a36ed802

Download Submit
memory/3928-371-0x0000023530310000-0x0000023530328000-memory.dmp

Filesize
96KB

Download
memory/3928-372-0x000002354AA30000-0x000002354ABF2000-memory.dmp

Filesize
1.8MB

Download
memory/3928-373-0x000002354B230000-0x000002354B758000-memory.dmp

Filesize
5.2MB

Download