discordrat | hxxps://mega[.]nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI

Analysis

max time kernel
56s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MDA4NTEyNjUyODgzMTUxMQ.Gw7axc.eDjVgfX57Vq29U5wfvpEp1ZNwvynufmC27K-yM
server_id
1290085964475007130

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Wave Executor.exe

Executes dropped EXE 2 IoCs

pid	Process
4208	Wave Executor.exe
3592	Wave.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 993618.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2464	msedge.exe
2464	msedge.exe
1700	msedge.exe
1700	msedge.exe
4748	identity_helper.exe
4748	identity_helper.exe
4628	msedge.exe
4628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	976	AUDIODG.EXE
Token: SeDebugPrivilege	3592	Wave.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4208	Wave Executor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3612	1700	msedge.exe	82
PID 1700 wrote to memory of 3612	1700	msedge.exe	82
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2592	1700	msedge.exe	85
PID 1700 wrote to memory of 2464	1700	msedge.exe	86
PID 1700 wrote to memory of 2464	1700	msedge.exe	86
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87
PID 1700 wrote to memory of 1460	1700	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff915d146f8,0x7ff915d14708,0x7ff915d14718
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Users\Admin\Downloads\Wave Executor.exe
  "C:\Users\Admin\Downloads\Wave Executor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wave.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wave.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15599914418985990702,8442749853664328431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2dc 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
891839d1b931bba25cb345570b7c9219

SHA1
382ce6e87758ab876c4129ea0ac32fbb4dde204c

SHA256
14676d774a4a02f32ac7446f1cac57214296ab00132cbfd022c196dca78c553c

SHA512
e6aecb7aa762bc257c9df4a680128e37b241bf3089819ba853849ce25f94be16fdf129f4efe1666a2314f0551856c3c278e89887a7647b3b18c77ee4a73b4d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5bb4f953d0e0ed04199ff9bde6e96d3e

SHA1
e84772e7bc94af0c7c95cb1b72700122a8c1db7c

SHA256
12c4b0c41c901baf82fcf473bc5522b22f3d1285901e1b7207ef484157d1a350

SHA512
2a768ae3490400e172bbae11f41856466ab54cde2c5964a767c5914597765a5db0bdd93c3fa5aa9e1306df7dfe9c84ab3aa38b1d1bba99d0cac7c96c5fd92263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c2e68cc77e8cd42109c10e68b8d2171

SHA1
67c0666970c802b58e0ad585e23412aedbc3c823

SHA256
ab4d55aedab41a439f4865e1befc49bcee90226fe5c900bf3bf93452097a7f55

SHA512
8ac86f7dc8c3816a417b11283b436acb6db381e4038fa36199923f3299db21b8ea5553fb8b5c75fea01f5cec43b73a53de9091ec0a1e8097c13942f9a3daca4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93454165af3b2fc61cbfad0034144129

SHA1
5cf25f76d79f93b40763305a43bd6f67d73a9c77

SHA256
91d843ec9456d759f55d823b1a8244d2dbfe5b9d40aed4d81935d8f0a888e0b2

SHA512
d7b74734bd42b65fd8a7135c6b53bda83c004cfbf5030444c6a2710a1e255cf5e1335dd5107f67980b0e06297e8f328b3982fd0efbeb3e204311721c7797787b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2b5284f1e8184adba44d2396939bbe1

SHA1
72bc2ef5ac1fef17fd179e422b5bd3b3471be059

SHA256
48607bf51f5043ff0f2de9876580b142660fc91822dd828d26d5aa562293154f

SHA512
50e8a1a88443ac22e94c27145c0dcb5ca42f9a56a41aa6db3b4ba2fa0c49129b2e3f1e2ae2c44f8a2c00253efe8d1ebd2055878f85989637a8ab8ea1d839d900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
006a060f27a30e41030bd4847a626e61

SHA1
1d469c7f2e509861977720fe23443033e70cc01a

SHA256
1cb3dd8a37571076f6d816a86e01d43ec2c6bdb28b2b70bddfb83f0d5acf9b51

SHA512
083b2dd57b72f14c7c95200404936f4b130ba994c458504aba08916577e2dded0fc1b361518dbbbb36c08676482551cf017efc6927ff6d67f3f22c5f63422475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
53614be47de606dab3bdfdf24db1d225

SHA1
985fde217cd8d8ecbafda4ef929c315daea43ba0

SHA256
18ac5da4b500dae38f7ee19e5c09e3eab9eb5a95f5a0831643b9d6fbddec3edb

SHA512
6a520c55f27e05666cc3a9fb138177fb3ee3dd2ed739db2a98806d434fddc34138c2789f52c2c2c2b78a7b89c35e8ce9ad4967593539a3891a8f41b820424aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f8e7.TMP

Filesize
48B

MD5
d0f5ce3c4a0aa01ebb5f49b1b94fc7d1

SHA1
8a61be4babc8f582df57e14217ef2f1808872bbc

SHA256
3960f8a8f0051aad21619042da09d4ebcfbaea0aaa0bc2b2a297e649c96fbef7

SHA512
432eceb882b7e19fb275a075d69e2ccd86f8395eece454bb34ecab446074ef10b45384f4758dacd4284a824e2879cff4f915864235f442417ff72b389cbcad4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
303b25b7efd614a20ecd38d3ebb2d9f6

SHA1
e8c5fd0a835bad5874ece038711d5b775fd26b8c

SHA256
5d94f1a4feb5f2b6533c5d9efc01dcda29cbb3da0e74c323e1737069d28d565b

SHA512
b5108ffd36af64daaa158957019a1eb7899d5623566f5045126c7c25f21926b02bd8df66b6c4527061e57d7272393d62e9b4e540874b8caab8d30f3d2aa755a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0afe5eef09a33bf6ca503ee0c5b8bf5

SHA1
2eb72be6d44162691e543c5101723a5770ef9b6c

SHA256
d7077de85c2190d1e638fa548b36714a1020fffce67907275aee4f946a2cdf48

SHA512
22c06bcb436347a4321f729c7d02b643d1f8e1f4b795edc309d53ecdb4c550a718cd61731985f97e9dfa6208c2ace8b8384b35f8e69b2cec80a11b03645d9a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a449c41f5effd7725ab5e4c0293e87b

SHA1
4ddaa23e6233259780b85924d02f39e13065d592

SHA256
d6d94b702e9e8775a369733734f7a5502ae3bb95aaaff6c14b30b293529b0181

SHA512
1c11988c89e20c4a41ce3caf1820a21625d832aaebabaf15a353875227bac2d6318a6eed6b114d48ee97051782847616f526da11219b78ea26e1b4ed9178a510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9be269a2a029d8f77140933cec28315c

SHA1
5fac23c9bd344c7fa634563f3de33926823cc761

SHA256
84b53ef0dd16fd2e793c619fc9b239bab041e32f4f8080c85a89d90cb0d54a73

SHA512
d3bd630261bdfecbbd6d88bac55083ed7a174bc0aefed8c9f88e4a21d5de93226807a295eb42f6b39bbd16733260de5e27472a2997b9233a337406a98582bfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wave.exe

Filesize
78KB

MD5
7a535ac9af618ba9d847706ee1ce3882

SHA1
01e489f099620dc7056d7f770860d72c21d74c07

SHA256
9ab588f54d35b6ce3488ef1af4551d6a6c5e31b8d9d3fce0eca01be5d3e7a2bc

SHA512
042be4d0a45e1261e3ad78c8bc03dd6bb3977a3a229aa179155b6826b94c1bedb39b8e29c57005d708deb2e08d173aeefdc7c552b815e2f1507a6eb079573e26

Download Submit
C:\Users\Admin\Downloads\Wave Executor.exe

Filesize
490KB

MD5
83768e58257bf6c17914c143ad04646d

SHA1
a34a4daa5c67bee10a1ebd7266eea28c853c26b5

SHA256
089c1026ff8a07dfce20b3d91bf34b7de8d4360e49dad72fb035d597794d4715

SHA512
4df1cd41b9d4dc5f8ccaa47b0e21fa4af451f02f924b5e131764c60cb03dfd43ca4e02819c8b71b015d70338f2918bc4c1a3f860b27aac38daeece980c2214a2

Download Submit
memory/3592-249-0x000001CB3F520000-0x000001CB3F538000-memory.dmp

Filesize
96KB

Download
memory/3592-250-0x000001CB59AD0000-0x000001CB59C92000-memory.dmp

Filesize
1.8MB

Download
memory/3592-251-0x000001CB5A2D0000-0x000001CB5A7F8000-memory.dmp

Filesize
5.2MB

Download