discordrat | hxxps://mega[.]nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y

Resubmissions

25-08-2024 15:09

240825-sjwhzszgrc 10

25-08-2024 15:09

240825-sjk29azgph 3

25-08-2024 15:06

240825-sgxy2azgkc 10

25-08-2024 15:04

240825-sfkbjszfng 10

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3NzI3ODc1MTMxNDY3Nzg2Mw.GKptwK.6ttTGh-Su92JyjNbovqY4JTGfOdndadlxBfGrE
server_id
1277277846360031292

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 5 IoCs

pid	Process
5592	Client-built.exe
5692	Client-built.exe
6088	Client-built.exe
5496	Client-built.exe
5884	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
65	discord.com
66	discord.com
68	discord.com
88	discord.com
91	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 15740.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
3556	msedge.exe
3556	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
5484	msedge.exe
5484	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	4912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4912	AUDIODG.EXE
Token: SeDebugPrivilege	5592	Client-built.exe
Token: SeDebugPrivilege	5692	Client-built.exe
Token: SeDebugPrivilege	6088	Client-built.exe
Token: SeDebugPrivilege	5496	Client-built.exe
Token: SeDebugPrivilege	5884	Client-built.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1640	3556	msedge.exe	84
PID 3556 wrote to memory of 1640	3556	msedge.exe	84
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 2820	3556	msedge.exe	85
PID 3556 wrote to memory of 1796	3556	msedge.exe	86
PID 3556 wrote to memory of 1796	3556	msedge.exe	86
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87
PID 3556 wrote to memory of 2024	3556	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/1BBCyKKR#0BcXNMbdW1r2fsggeRP4xvvq6yXd_ftr7wOQEcDIp_Y
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f57d46f8,0x7ff9f57d4708,0x7ff9f57d4718
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5592
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11799661660744297442,2025038375496960086,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5944

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6088

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0c86b515a17c931e488f29eaac2c013e

SHA1
b203288a7afc086d952fdca1777228c1b4f41ea1

SHA256
43c4e4f3f7a8a9ed867a6a6547d2596c997bfa2cd72ba7150dde0ff576ac2c65

SHA512
30f636e230a5b9c628eeb0a6c266e97b95e62a9ba6e7bfd549de0b5c03b130a3af37fe70d71765b8d6622fff4e09d5f4f2da65face79009c988f8bdee9b2a3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c4deea6c0ddddc4d14a8e9c9c3cd6ca

SHA1
4f53310791f1b9f283fe96ae4f935df1b95b28ed

SHA256
ffe0daf1ec227dcf8f345e083828da78754f7203d4c46a3d19c39793f7455890

SHA512
96e913fe77891a92de0af5af1e1e4e4184052ca88930c25aaa0788ec4d41b52afd15e8c4643019d5aae0646eaa24a0dfcb3f77077efb7f25cd936c1422db10cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
648e3bb1b45ec47b93e71a1e99109fd2

SHA1
3dd9176473ca937e3ca93b5a971071f2263fef59

SHA256
8fca35825929f320690977a7d1012090c5982c765c8772ea200cff3971b82d6d

SHA512
a6659e69811120419e17f0ccb1280bc0b0e7b93b5f1d8c597e65c1560efad9afbf421768c4665fdbb898159b42eace73e6d24157f5141120506a9562d0027a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4821f15ecbd92525e1122a850412af0

SHA1
d81b694877017a6d7eb88d6ca6bedf5f84c375da

SHA256
e5ca4bcb8d32b6539a9caf88fabb5a1959cccdf6a2c53d1018e88fda59208724

SHA512
99c053e1770a1b3cc213037411426010d26cb0c6128ff479041b582c389d6e4586976bc569590e2b41d95884403791910c810350d339b7cc13b698c9ad0c6832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9fbd1f3e835befb32463950ca7e5862b

SHA1
5d5511d44d16c49561f1f89bd53af05f002e152a

SHA256
b6d2cfd7b433312b8fb68feb88571ea89b3c59bbb9fc98f572424edeb0587840

SHA512
0e1e18e40320fde1070966c2e25bb2a79afb8cf9f4bb2ad6ba57bb80f3e7e11534c833e20fb256c6524d56a07b4bf0e469c707811d6b649f2115f7e6b45ea9ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e7df.TMP

Filesize
48B

MD5
aee1ec7158a77a32f33d5d1bbe030185

SHA1
e5181b2686663c9ec79f2a6e180b0fc8ee10494c

SHA256
508ead37f45b33bd47e0de793253a9ca659a19d2bda200c2a19185c0d2b5fb7b

SHA512
b81ec41ec49dd4f0a4377b56e7ed70cf35e831897e562d2d0bc89948bbc881b3ef8740e343e259665134c33d24a183539d1fa2e67998c183b7554834e014797c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f767434a69c20b0992b3b008ddcab40b

SHA1
be9544e28d34457eb65e6d2c532c042de2d1a7f9

SHA256
7e91282476050d4cd5167c221560549f33247837a5ba24a18ca952e99560164c

SHA512
5af3c948c52515a0d8d52ba2d2414de03f3f615befed8cfa57aa261ebd05756e76d9f2eb6dd832216003d0a8f0a6b9fa58b9e5d481ad21dffa62ca9b3306abea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd2c69af8e63018c1a5d099ca742b02d

SHA1
cfa7dca29af659ba17789553e8debd12e091340c

SHA256
1e5c8391f6fc40fc23853f3502a5a8c5bb26ec28b79c2a607d35d2435b10960b

SHA512
33420d4af659aeb38c967b1eaaf1292a48382075c369afa4f9a4422ba71603df0b6edc5bce49e554fea19fee3df161e382ef5eebba42570f901e67c4dd4a9b45

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
78KB

MD5
ff847e46cf128da78fd77a9e977e6419

SHA1
37d08015addba8cc4b7764d15b0f20416aa8da98

SHA256
c9f8cec5acf6448bf61584f9f04a477ec2af9f0e4ee4e79170b0ba7ce50da7b3

SHA512
6ccc3e14e7aeefb54d58b79428ee53601414b880ccff24673faa36311b4b9ee3aaf8c1b1b795e85e43d1a69f2876584889c122d4c9e1599244b2fbd04dd66fe0

Download Submit
memory/5592-176-0x000001D23F970000-0x000001D23F988000-memory.dmp

Filesize
96KB

Download
memory/5592-177-0x000001D25A0A0000-0x000001D25A262000-memory.dmp

Filesize
1.8MB

Download
memory/5692-179-0x00000234E2140000-0x00000234E2668000-memory.dmp

Filesize
5.2MB

Download