discordrat | hxxps://gofile[.]io/d/0SUt1O

Analysis

max time kernel
32s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/0SUt1O

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwNDA5MjMyNDYwNzAzNzUyMQ.G_MZ_C.gPt6Zgas-qnpxhzfZWUI_Hkg16wnZOWz-eDu-s
server_id
1304093020982870139

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

cracked-wave.exe

pid process

3312 cracked-wave.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
22 discord.com
24 discord.com
25 discord.com
26 discord.com
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\cracked-wave.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
3312	cracked-wave.exe

flow	ioc
2	discord.com
22	discord.com
24	discord.com
25	discord.com
26	discord.com

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\cracked-wave.exe:Zone.Identifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 376015.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\cracked-wave.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1308	msedge.exe
1308	msedge.exe
3580	msedge.exe
3580	msedge.exe
2776	msedge.exe
2776	msedge.exe
5068	identity_helper.exe
5068	identity_helper.exe
4888	msedge.exe
4888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
3580 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cracked-wave.exe

description pid process

Token: SeDebugPrivilege 3312 cracked-wave.exe

description	pid	process
Token: SeDebugPrivilege	3312	cracked-wave.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3580 wrote to memory of 4376	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 4376	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 3320	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 1308	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 1308	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe
PID 3580 wrote to memory of 2516	3580	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/0SUt1O
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd73293cb8,0x7ffd73293cc8,0x7ffd73293cd8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,18228768003000061466,16918522868955843520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Users\Admin\Downloads\cracked-wave.exe
  "C:\Users\Admin\Downloads\cracked-wave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
457c4b7b3af9982fd9bf1e60a75d36ef

SHA1
a5966482607cfedfe83de02c684becbe19ebb7a8

SHA256
ff7213273228c1d1855874dfa3cebbf4eb78c014aa0519c75b5462024115dff6

SHA512
09bf4bec73c00ac348598a1aea51af374a135da84a86ff0aa234949f898357ec4862b3342a14f30d1e5392efbf04d1347347877a56febf11da1e0e8d5571ca26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be70d423280eee2a773fd959f3abddef

SHA1
7ad7b31cd2ae79bcc611debb087e73c0c4191e78

SHA256
a3b1a2fb2de2d144443d19be1eff1af663c7287a2e6f67e5e443f3114c1d0fed

SHA512
96fec79f9f133574150452d10537ab8ade1a8aa15f596f8f78718da50481b8744fc8051875252973940657f8c9083bf84b0bebb9daed25f66605037a9b01592f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d988bb42bd4b4606efcfaa6bcc886b6

SHA1
a97c752df363df8772847076142a7434104ee66e

SHA256
274b5c1aed099b4a8b262f4b4681d5cae6b6e515419440c03ec160a2415922c3

SHA512
54b0c8cbc76e7d56db6594e26cec6b58f590da2ebd9d86e5d2a706875f85ef724d0a3f5b8fa25fdb6e284eee8438902f9ecf2ffafb2a805c0f678786bf6a8e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f5b2b65fde84c1e421683b87765dfd0

SHA1
29654a018014ff163ddf6baaecf9c54ddad03168

SHA256
5836e242ebada6fd04b4c688c3b2a9d1cd5e7c98879bf4567db7d2fa94984357

SHA512
e3ee3b2b90c05f8403448504604e50ebbb16ce42f8641869d3bbd08413bc4db2778cc5db2bd46d8feb6ebd937b8e46dbf4036de7a24e185afc2b51bfee3dc393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eded042ce2aec76f5bd1db299b75599b

SHA1
473050da9f74f4f13ec0c738ac10eceb36d22252

SHA256
38e745c653c614cd9d559d1c158cdc1080016e6f14f4fbc85f1fb370c9918bfa

SHA512
acfcebee712f1869120a711c49ca4f4adcaf0f6e0bdeaa7a7aeaec01c415d9806822e567eb443c6b51edf9c0ef0dbd43fcaf2716cc468e3c58dddf4c6a907497

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 376015.crdownload

Filesize
78KB

MD5
bc38c5f7f8898844dcbb8d560faf3ef8

SHA1
0f58fd68c3bcd6031764fb25df66f4dbdfa8dc29

SHA256
e578b30b0ceb01ef3659c6cb1ae02836842fa9d8131ac4f48048e1ea0019430a

SHA512
5c70f91afff0fa1b0a44332cbea5ba6a1d962babd6a1bc580a1c3f8f2b118112c2009135336307433bbb66e77f58c9e531e0d8d15aceeee134270bd06a2e34c0

Download Submit
C:\Users\Admin\Downloads\cracked-wave.exe:Zone.Identifier

Filesize
159B

MD5
de5e6792897993e37377eb8bdfe76e09

SHA1
d908a25bffe79d97e022962eaff8551c36b97a52

SHA256
4342028d7e06a40ee042d94fed5301375268636fec95816453815beb74481feb

SHA512
ce1bb588d10da1256e90eceb151990dcb7e89282fe2e196c95ebfe88a820958931b949cba9363ecbf65ff3416b6bf855b9d764994ca07e36076c7c812a5a27ac

Download Submit
\??\pipe\LOCAL\crashpad_3580_PGUQHRXBZUVVRMUM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3312-102-0x00000249C93D0000-0x00000249C93E8000-memory.dmp

Filesize
96KB

Download
memory/3312-103-0x00000249E3A90000-0x00000249E3C52000-memory.dmp

Filesize
1.8MB

Download
memory/3312-104-0x00000249E4290000-0x00000249E47B8000-memory.dmp

Filesize
5.2MB

Download