discordrat | hxxps://mega[.]nz/file/ZY5GAQZC#lLOrJE7fhrS0UqlD8Q7X7W6Vhgjq10wYM5kXGfbP0sg

Analysis

max time kernel
46s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ZY5GAQZC#lLOrJE7fhrS0UqlD8Q7X7W6Vhgjq10wYM5kXGfbP0sg

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTA4MDE1NzI4NTg4NTY5NDA2Mg.GXvt9S.ITft7z1KLbrM6yimBrvDzlhSWow-zInix0gFDY
server_id
1042489874802020394

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
5008	ports.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 700801.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
3952	msedge.exe
3952	msedge.exe
4940	identity_helper.exe
4940	identity_helper.exe
2340	msedge.exe
2340	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4276	AUDIODG.EXE
Token: SeDebugPrivilege	5008	ports.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4540	3952	msedge.exe	82
PID 3952 wrote to memory of 4540	3952	msedge.exe	82
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2132	3952	msedge.exe	84
PID 3952 wrote to memory of 2972	3952	msedge.exe	85
PID 3952 wrote to memory of 2972	3952	msedge.exe	85
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86
PID 3952 wrote to memory of 1800	3952	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ZY5GAQZC#lLOrJE7fhrS0UqlD8Q7X7W6Vhgjq10wYM5kXGfbP0sg
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1b5b46f8,0x7ffe1b5b4708,0x7ffe1b5b4718
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Users\Admin\Downloads\ports.exe
  "C:\Users\Admin\Downloads\ports.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,473779782725420996,16416457334365632725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x240
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d8ccfa6a8b1b15db876b848b8fdc102

SHA1
dc7d92c35e9c84d8d78ac0aedc926214cee68135

SHA256
b48f98046030e23b843422251481c3f19cfa0cf71fb36a8ff89dfcb152761f86

SHA512
6ae61b6cf236082b9930686ad2650c3ce3fa337550363e0858062dbb399093b0ac6bbca3d4c40101e222ce764fa4fb704bfc591e6d5b0a6c165f170cd6c9d5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e22c2898ac78c14a840076a8446b9d

SHA1
ff5b7cca3ff2c4e77e6330e2c5e2b62bb56e9fe6

SHA256
a5e570fc8d3a52027db48adf1301fe8dffc500a4bef04d0d6bff15fff78ade8d

SHA512
19381615be8f53ccae56a21c29c314c3247ac78fd3cf838f52ca98757b54f945f0d178cfb44ea5ad42fc68b3d3e6e7ce4e4f40eb69f791fa5132f591c62388e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f6615afcc7eda3630a9b99d63cfd43c8

SHA1
274222eebd2919994485f20399a7086f51bccc5b

SHA256
8946cfbc02cdc9c0cf62a362a72f21239ecbf5182e876b569e7e4cd6cb760c66

SHA512
4b1cd84edbc71d8f52dd2857340855b519d0023b42a01d6ab99de0515985bd2ef32de53bca467aaef446cf8735e2873f7ff5a4a75b4a9f0bcc63fcf34dafcf25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fd1a0e329feec310122f5fd88b1385e

SHA1
d292d82407fca77c6d977da24295bf1f193e5323

SHA256
4a5bd303fd19e6a7108f963f26155cb0aad2f2de8b2d8b63c717cf4a6372a417

SHA512
dc3f07279901e518e849d4a174486148c848fc0f6b538257c137bf55ba63e6860cd5da5e71f37ba9650401bbf15c0735457736d02ce771fcc6bc7cb1c90aa65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9e9784adcfc91aa3a11113b49790a4c

SHA1
02c4b0ee0c31dbec3e4ccc0877481a52379d63a7

SHA256
c73d90abd4600cdcbd67e473a75ebd792b538449ba539e1e4d4297d8db2119b8

SHA512
fc1f9c5b8105787b3a58992a8947e684c3e00d566f5f8e782a50d9a44e91053c8dfdf2fb5e30a01051c251c4eb88cda5380a0370c06d7b65fe34dc363f06ef97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1808d24131b1ee21bb0167ca05d935a0

SHA1
ab550f5a1b1893abedb1a990406d83657ddd925e

SHA256
2fe6f1db8e24bc6aac3ed50201e0b0010e5bb98cedd63f99a21e2c2d3bcfe39d

SHA512
de211dbbab91279fd46b28a47e2e9ce3b00687687f72713d8ebcc022929723053bc1628f0e9f8185a1b1057d9a4db4fa60aa66a75d363e0b68190e4c174a0e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76e34a8b0a054fb2cdea5b7c0babeaad

SHA1
e1af0493b86f983394af85dac9d1801e3236a6ad

SHA256
5b50ed370c118cd0450085f24184be09621a1a6bd22212e1c186eca5d1355e58

SHA512
58e87af6ada4b3d649e271fb3a3035d612c5a253396b397def6c17146a2a54dd7640725197118fc9bac74f03ead9d6cf456c265778c7d790f3a11da5d17768db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e49fa571ec84d757f0361552b4cb9194

SHA1
a622075f51adbf75cd438cffdcd4247bd631ed23

SHA256
a21c25e648e6af825e728efefcd42143151e4d6286c614f70dc5b2926cd14b26

SHA512
9eb5708ffddad3af042ae38a22f7e1acf74379da96bd6a4cf831fb5a535f52e4a085bdc0e5fa721a1a1c94bfe2b5d808458e5a917f895841b23212363eb5ebe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5823ee.TMP

Filesize
48B

MD5
a1186b1ab2b5235f6bc5c9933cf88bee

SHA1
76781a2243aac4003c73ad9655362a11b901252b

SHA256
ad134275b3185ec1f122c1b342ad0fbb0b2c8a7fd6483ceb9ecd06702cd6b74e

SHA512
ae7a1c306c4080f1fc3c504813cd21df2430a1c83dc480aba4b3d77e3357c803a6b15fa061aab272a89e97cad74dd7ba6703aced3c2411b8de7224de05567877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
64cccd522e07e9445b96f51a9087ec30

SHA1
a8aa4fb0f1c318b9d8f57ff382ce1b2aedc28922

SHA256
7fc8b9542fd8980dd83589326395eae58e8ed4ce18197030e622566235e9ecb6

SHA512
bdcb82d145958c3d696c8b66117af5f602698bd855c868da21cfe2ed5fc18e06a243c29afbb25b5bce8332f3284b0ec1fb40eca11b31b10c7e3ab425c7a123c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4184e89d6fd21ecb962aa4537d9a474f

SHA1
4ebbdd7e29d03951202275c2e3d3bb101275bbaa

SHA256
6d975e7d02dd261000665a85072316a9442af0b3b1b1d649fd6ccba2b4b903c9

SHA512
0cab9fd58d3a0f60144afb7598a4a7c3bcdbf5d04876001a21bde9deb5226ac05cff69d486d4f7b79835408f27ba4b221aab3749a4eca4d4fa33778af492e3da

Download Submit
C:\Users\Admin\Downloads\ports.exe

Filesize
78KB

MD5
7269ddf0d40fd8e1896d535039da3592

SHA1
2c80e665538bac58018102d768492f1fbaff85bf

SHA256
e0188e2b2567e96b4dc911433d5db2a614aa6d0850a82c98824594431fcc1e28

SHA512
b9e2ba76b30aa5ac9b2ea0741861ca50e6bb2b0f9061a44cff24ccbf5af978bd8066a476c0aa9312ae802e6aa1c68f2f87c513567a5c810e148827f7ba7e1c51

Download Submit
memory/5008-184-0x000001CA7BDC0000-0x000001CA7BDD8000-memory.dmp

Filesize
96KB

Download
memory/5008-185-0x000001CA7E390000-0x000001CA7E552000-memory.dmp

Filesize
1.8MB

Download
memory/5008-186-0x000001CA7F810000-0x000001CA7FD38000-memory.dmp

Filesize
5.2MB

Download