discordrat | hxxps://gofile[.]io/d/yMIF1D

Analysis

max time kernel
116s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/yMIF1D

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3MDQ0NTIxMDE5MDQ3OTQ0MA.GjFin0.X1Vtr9hv82eTV0R0_ajh8rIg2ENQGVkar8dWcM
server_id
1269293168697020497

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
40	discord.com
41	discord.com
65	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
4424	msedge.exe
4424	msedge.exe
2608	identity_helper.exe
2608	identity_helper.exe
4388	msedge.exe
4388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	Client-built.exe
Token: SeDebugPrivilege	4720	Client-built.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4184	4424	msedge.exe	83
PID 4424 wrote to memory of 4184	4424	msedge.exe	83
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2684	4424	msedge.exe	84
PID 4424 wrote to memory of 2940	4424	msedge.exe	85
PID 4424 wrote to memory of 2940	4424	msedge.exe	85
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86
PID 4424 wrote to memory of 1552	4424	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/yMIF1D
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc7b446f8,0x7fffc7b44708,0x7fffc7b44718
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8485280315181371873,6129141284634079710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3680

C:\Users\Admin\Downloads\eee\eee\Client-built.exe
"C:\Users\Admin\Downloads\eee\eee\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\Downloads\eee\eee\Client-built.exe
"C:\Users\Admin\Downloads\eee\eee\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2f658c02-de73-45e9-98d1-dfbd66e224f5.tmp

Filesize
6KB

MD5
20aea3552baf7eb9deba4adcda65ff16

SHA1
aeabc7a3876692f6e81f6bd79022827c1ecbd8df

SHA256
91adfd4e3a9c7eefa40b5e23637e57c871e49fc817da3e87fb8e492053faf28d

SHA512
d354bff84a71da32ae999a6a97e08a564756bedca5bcba043519c60f0ed65e60c9949cbc9e2ce12365b46fc3e612949bb8a68b4c7f615e06075eaa97730a61a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
befc1cb73820c463fe830ae66e5c95e4

SHA1
42c71cde0f88dab529ecb447f911a9d6e47398bc

SHA256
b548a09245427cde787d62405b14b483f35822abac480ea48e9a2efa0043497b

SHA512
c0f16485b2aa9e6af2fb85d408c4cb5b2636f8573ba1222df52745bfaa59c34fac4becff54796ad57abeb3d3a179df48970b2dc4747fd2b2ee42e61754ac2ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
d3dec18bb94719971f2fca51c7457284

SHA1
fbe56fd514e178ecccb27b047e9c4a28f85969c4

SHA256
49bf2e0fd563e5a70eef9e3826e4e676d36763b75a56a667b99d061d8e40c433

SHA512
a5dbb443eb2e99435f0b302177eaee58b207806279d7c3e299371d401277bb0ae008902eb70075664976212571430c26febc7e47d71a47bd3a75829be5f9baa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
507c89a8e4a82de83f5526aab3687015

SHA1
630aabdc4d21850dc0bb14c078b1ad10da4e5a2c

SHA256
62fbeacce8d826ecb22409a454b3c1c515948d938e94132807b330965b45dd38

SHA512
ab7dc3267e43ba66b786155337c71db6fdde23ac12e851fb47e70d12dc2618ca657a671e33628ab4a3bb4d8de4444c050ca6ffebc750aa42cc1f807f9017b7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
df6b74b7682a292bbcb8e7687107257e

SHA1
8628ac2d62bf6a6d535ef3ea47bde9a6ac4a82c2

SHA256
30dc005c9024ddaf82e7de40a6614bb29d20ce6c9f8654ef49ebacecd8d86dba

SHA512
12860c1bf93d86927d6186b00c87dfefb127d943a936cda38ee3a9bfa5d94c17bb3b34597c2f47d70b57ee58fb8df6d0918a7d2c3e2fe0aac9006233d33736d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a6d1ab57b944190d9ad06fced5607ef

SHA1
a3b1d1dfc7bf6516e2092927b5839f19659722b0

SHA256
09d716c8149172c15e5f00be15360498e28de33793f08e58ccb9aa56aa8b9c11

SHA512
c8da134af52322db8e9de06c97b1792278374aa711bcecd978cbebdd86c0bde39ff8c3253cd006f437eded27fd7b7bebd2dc55fd9a7ce7abbb6e4d4c70b9487e

Download Submit
C:\Users\Admin\Downloads\eee.zip

Filesize
28KB

MD5
c84d32c336647a1659130e7dc5a203ff

SHA1
9199fe4d591509043325e9eda3e9fdd9bba899a1

SHA256
0dd064059ed0acd8bc38bcc38be56c59cf5304a5305f52b8e1e3733c236868c0

SHA512
8f3e6400a1d885b54c9cb085382f5106b20b8c293edac651f913ca2bdedb9bbb6499a6b888a37dfd031b257244a145cea93342f6e107dd87ed096a0357787a52

Download Submit
memory/4272-101-0x000001D6F6A10000-0x000001D6F6A28000-memory.dmp

Filesize
96KB

Download
memory/4272-102-0x000001D6F9170000-0x000001D6F9332000-memory.dmp

Filesize
1.8MB

Download
memory/4272-103-0x000001D6F9870000-0x000001D6F9D98000-memory.dmp

Filesize
5.2MB

Download