discordrat | 7bdb19204fec2ec0addc3761372caef85894bacf999c6c2fe80c64eef3abd936

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Makala Executor/Makala Bootstrapper.exe
Size

78KB
MD5

6a7ea29ef2fb6c36471d0e055b81f084
SHA1

168ba0b3c3f51d89b4b3e5be7c91a813a51387c2
SHA256

cd562416060b65c4e342e62169e7d6136f7043e5252943b1a7033d9160ee383a
SHA512

f9ad092b14d16c13ddc1e791147efc2edfbe875865ee523bbb190ee851725ae3c909eabd15f9ad193d5cbedefa46802a886713cc471f0c2308e51fae61e9256e
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODM1MTU3NDYzNjAzNjEyNg.GOjBDm.fj5GQTX1yf12bG6cA-jFqOCZzVLbT2a7KZ8L7Y
server_id
1031700632450641981

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
107	discord.com
11	discord.com
12	discord.com
20	discord.com
27	discord.com
104	discord.com
105	discord.com
106	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{3D0D66E2-3C10-4C5C-85F9-166EDC5E4340}	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
1780	msedge.exe
1780	msedge.exe
4312	identity_helper.exe
4312	identity_helper.exe
4708	msedge.exe
4052	msedge.exe
4052	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	Makala Bootstrapper.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1780	3464	Makala Bootstrapper.exe	93
PID 3464 wrote to memory of 1780	3464	Makala Bootstrapper.exe	93
PID 1780 wrote to memory of 856	1780	msedge.exe	94
PID 1780 wrote to memory of 856	1780	msedge.exe	94
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 1320	1780	msedge.exe	95
PID 1780 wrote to memory of 2572	1780	msedge.exe	96
PID 1780 wrote to memory of 2572	1780	msedge.exe	96
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97
PID 1780 wrote to memory of 4648	1780	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\Makala Executor\Makala Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Makala Executor\Makala Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com/home
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa970346f8,0x7ffa97034708,0x7ffa97034718
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:1320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
    3⤵
    PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
    3⤵
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=1808 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5968 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5980 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1689922844572240250,12226616047992824484,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6240 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
520fdbb13875db99f5d2d92e8b493d84

SHA1
e275560bc6863158acc5021360c06d58c1874475

SHA256
cd83ac554a3a842bc55d57d8f0367708abf06e81b5a1054f990a9cceb8feb0f9

SHA512
ffc3f29a8e6ca20d99209355116e9f85adfe913069179b3179da7c1d879667f9caec2bfa15190cc7c557bbb0284803d424ecbf58f72c18b5eec6fd51289b1463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7329602711f64b3d82fdfd25ca124aba

SHA1
37129906ab95d47941a4d53614778114242770ab

SHA256
8a9bf39994ba5cd9e9e611e34de797b0801c2af1a7683a496fbf228418a93e5a

SHA512
26ff576db16edbf3da733e9d12feedceb030efe1fc847e4843f399309525f64baa759f0ca94a5d341360513f2bd102219b768baea979fa6b260f41e3f200f0a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
768B

MD5
8bff5362d46817847920236c25886e62

SHA1
6f4350be7c9aa8bf505d81b6e581f56f561de137

SHA256
8b8d80545d5878a75f4032cd152407cb8da6e246d9a654f623ed2308efe35285

SHA512
25df4cd175750efb7bb69f857e70bd9653b0358e856a8f86d50a9340589de202bc7b4430756a2f605af56e72005c34e47e2e6c0333da145c71637cc36563b9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db97ab9cc382b11a414d89b5a8c20502

SHA1
a52552051fa40c7b2ed273bdcf88478097e57588

SHA256
c1caf8f059e9f06ca26806af1017305c25e4e80ba7a82f7c8dda83aa230f1e54

SHA512
fd5f548ce8efc0ba9da6d06e147d5f491f65a6c6479a432b34488de50f6bc17a0b53d3fb5e4dfb78d486890b9fe8b64f4775ea67e033ff2db522095ba6728164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd715a8d18ed3e0967eed6c9a5baeed0

SHA1
01a8d2a753f0cb903fb285eb247759dd76ddbaa1

SHA256
3184c6c6b3c4ba7ac255b36e6a7d58988a978e767e1a6f28d3fdb96514a275dd

SHA512
d9d40cd6aeffdad36cbee88796ec5ba064c1cd96e5815fb17b7ec5d706aa48ffd6c5313546cf90e83187ba25a9750456638e508d458e192dd7a5ec4656a94e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dcb2ba94368be544befb9f3dc745b221

SHA1
fae7a0c424e888e22dcd4f2018a088972e98c9f9

SHA256
11796b60baa2632339935dd6b90a9d0b9007ec738c07b553123f49ef237d1230

SHA512
45c8e680eb4d2f74d4d4dc5b0ef326c52b9a6297fa5782db9f4287f1dea32b52e1cd5364ca88dbd67dea979b206d420fb95f852bb3ba3cde641e4e031e48a545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4310dedff14ed8243bf7a5172759f4fb

SHA1
f3948f9b37bad8b237179d999da50b275bac1d7c

SHA256
4608cd925a085b8bd4a96837d3f10d121f3267395ea5a7ef2e94f07a94910213

SHA512
8d52bb87dcd904a3d1b08713e1c60fbc9fd168d58e00e2cc8a095ec191523658aa703c6c7884b9a8b1ff17e5cacb040bdf4df1fe54a4490d977bdb4006cb969f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ce4239f916da34f3570a8aa1d400486

SHA1
71b35130d6e9e0612c89c256e55cfcc9f4c034e8

SHA256
7ff21eeacdc61c38847636852d28c93b1b600462b797e004884393d0d5d1a66c

SHA512
fd02c6f15822cc7f819b5852a525edb685b35ffb125030527db34772d5ac8259cd94c5d955e2eb15ad3495fae6e264abcfaea1dfc09f2ec3bcfeee5f3a9ffc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b4ce347fc89eda69e1d1861e3a3d1637

SHA1
872e5b005b3597fa1806a79c81d75f04f70abcee

SHA256
3dc96d27a36764f6125d81bb02ddd2c7cb989a7ed4fb409662774d54e1f7b938

SHA512
ac06533bacdec0e819feb7711cc7f8f87564e5d0effae23a52b256af1c7c539b118a1fc73e0412537e8e0bd4261c0efe67e56f116a5dc4450187b0a74cc615ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5707631070fda64970033963a76c00e7

SHA1
6311fe7d4271adf5904d54a8eb22ef1e4ded99f5

SHA256
a02946caa7a35ee57aad6460933af0f24a93a2b02407f1af19ad2e8946104e08

SHA512
331fd4c5fec835baa0cc03108c9904cd415243fe41b580608702dd2feebc85bf63120fe9f9caf968fea4f7b42872e8d0d39bcd8557058386226c580b1e1ce651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2b71b29aef2691eec84ba4aaa36944f

SHA1
c38994210eca3a3a2c023ee9e1f73742283c7120

SHA256
f3d91cf4c30f3c8123b1cc050aa1467d446b6652dfa9b87d57f7178a5a416c89

SHA512
9ac045e338ba631c208a632202154d12e700c71d8f507e16947fd8b6f8031671c39b98d0dbd33d7929c4411b5a3b627daae3ef9062ac61be266cbb511e644f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2c4904cc621d838334e6bd7b201a212

SHA1
7e916dbd6bea76f8d65c6837c251ed36d3a56ef4

SHA256
b8b08c79852e48edbc6a6bb190dab23f5eea026745d019db7d679e2a5172f75f

SHA512
fad473c33776525759cbaeb896887ffc7693a9ea6d9b444b9a1e55d1eb559be43f945c5a0a766248480b4af4a45cea277540919ac554e43ca6d62dca84a67165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec879935409d21644841593e3f608e77

SHA1
4f646e1232905c750a817cd9b77f7511cd35b348

SHA256
a8e85d287687c19a94269ad1c1416ed40420b448d86f73e69f9ecb8c4f9a5f38

SHA512
ffaac93c84e6ae1ddd5ee478dfcfb9c823a271d0789c097370a39a9eec998dd310aa7b1dd08e260d7cee983781a3fc7a0ffeb5a7733b2d4d4370385794bee8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a79772f86a83cc7c1c7a50a45c7373a

SHA1
e11da2ef9c0c239dc9610a8f5abeee8a14ea8cb6

SHA256
d8ad68fbcd348d773d60a615437d41d9d3c92b1b4aa352f93939d6d1221ed028

SHA512
08dbe5f90e4a44b78c60909133e340664fb7e4d398b9a5eccd6bcd25a4381d7d7763396b74f30913235c86be01c0c3a9e1366dfb624357d3ba65235c2d03f066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58312d.TMP

Filesize
1KB

MD5
f1f6e33ce051168e053dc3f90fea00c8

SHA1
95249cec98e4685b716268fb92867cd420f9a1ee

SHA256
5b9e62fb20014eb884fcb180bcf34bf401a23aa42584adbc926c649c5f3143e1

SHA512
18f73fc99f687a7c0dbecd2b7f2d7ae57418d4e3cee21cf8cf4b94b848e878f22dfe300a952273144c219a5335041b4ef119d8939c0e21284c0cf4a8c50dd0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
133310a612e1f7f864da878ab267c4bd

SHA1
c3b655ad298b03f5b08f6346442a6eaae7049365

SHA256
455e089bad659cf99a8bbedbddb2cf9cd4db8cbb976e45edd76c962a7b6d883d

SHA512
54ab62719191a48e5739d6b40eeaa28efc5ccf8a1a8f99960322ba0d44fd1e7509b4a45776e37b566e131e7c195a190e0c5f2e37c9ea7894cb7856cf89de5b61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3464-5-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

Filesize
8KB

Download
memory/3464-0-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

Filesize
8KB

Download
memory/3464-4-0x000001B4BF3C0000-0x000001B4BF8E8000-memory.dmp

Filesize
5.2MB

Download
memory/3464-1-0x000001B4A4560000-0x000001B4A4578000-memory.dmp

Filesize
96KB

Download
memory/3464-6-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/3464-3-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/3464-2-0x000001B4BEBC0000-0x000001B4BED82000-memory.dmp

Filesize
1.8MB

Download