discordrat | hxxps://mega[.]nz/folder/mjIVHYJA#BG6qXiA7Ib7SKXgzZ6QSHw

Analysis

max time kernel
107s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-01-2025 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/mjIVHYJA#BG6qXiA7Ib7SKXgzZ6QSHw

Score

10^/10

discordrat defense_evasion discovery persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDk5NTYyOTc4MTk0MjI4Mg.GIgS-2.5W7uUhQ2AE0ZaWZI5VLj-xavARFY57ozLkOs_g
server_id
1330995110875238483

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
4200	gX GrABBER.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
37	discord.com
41	discord.com
1	discord.com
33	discord.com
35	discord.com
36	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6FBC.tmp.png"	gX GrABBER.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\gX GrABBER.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 48385.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\gX GrABBER.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
3040	msedge.exe
3040	msedge.exe
3300	identity_helper.exe
3300	identity_helper.exe
2364	msedge.exe
2364	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4052	AUDIODG.EXE
Token: SeDebugPrivilege	4200	gX GrABBER.exe
Token: SeShutdownPrivilege	4200	gX GrABBER.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2832	3040	msedge.exe	77
PID 3040 wrote to memory of 2832	3040	msedge.exe	77
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 408	3040	msedge.exe	78
PID 3040 wrote to memory of 1412	3040	msedge.exe	79
PID 3040 wrote to memory of 1412	3040	msedge.exe	79
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80
PID 3040 wrote to memory of 4076	3040	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/mjIVHYJA#BG6qXiA7Ib7SKXgzZ6QSHw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd73293cb8,0x7ffd73293cc8,0x7ffd73293cd8
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15007308122929855225,6551075860839200618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:804

C:\Users\Admin\Downloads\gX GrABBER.exe
"C:\Users\Admin\Downloads\gX GrABBER.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ac7c03a44c207eb3239bbba50fe66a34

SHA1
2a7de9f758e1e5fbbd9b4e6b132106d4743c836a

SHA256
1681c8bd0b2d86164f2e6e3ad595470a6fb40db5abbfcd34b0fac9cf8431b2aa

SHA512
a9d08c493076356b3e0e1ee5f738b39882d9b2aa497a85bd41c57e4ac8f4c5eded5960b44eb5bc2badc04b5997b393da5a9fb1e7dfa99369ce2ed43de32001c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
cb2c370608ed5735aec0094cbed1ddbb

SHA1
8b9da953294d7078e9636c4a122d4c98651bfc17

SHA256
01fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6

SHA512
87fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abe9be5cca634de9c6f43c783bb5eb60

SHA1
0d1763e681b335a00d163da313c69cd27b57ce3a

SHA256
2295ac74039126f6dba9107b276963c625e2d7a2db87185d98ea81c42be8eb52

SHA512
92fed6a8292cbfa8d2b4c80d4486d4ef16c9dc895e1bb29130abad2e1f4dc1da24394748ada228595f0968fa57d9ca957391bb8572a5e1d67a1ec77bba7c6f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b72c7ae4f46c30f1978e262a0c5591c

SHA1
470edcdc2c714847f040067196571f6fd61afc41

SHA256
d6509258d3341b9fe350dc9ef1fe1d6ddb52d10e5f9aebccfe08ceeb9e320ea8

SHA512
97931895953e34092adf89ffd657d01118174325d99448aac8430902af6cb8d721528d08fd459a667cc7a3aedf75f45ccf709527ea5bb75d545c0586d73205f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14fc10decfc17e20c92e15fc9ffd2ca8

SHA1
4921316a5840542ca46045d7362583cb1f9bbaec

SHA256
fc4c21a83d7c96e24c63ca984a5247f37eb365d3e5438254a86f4b74ba156558

SHA512
2a56b70a85b25736d191cf5b8a396f91ac5dbe70cfd045a8f4120d8e4ee3d83b4a957e76fc956c1ce793b936f2c426a133d8afdd085679982d2fc4083e9885c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
34fcf617bd0ca56c3d249273e0823865

SHA1
157b4607e97a8fd41735d6fd83cf61017ca0579c

SHA256
8eb3623f6242d7726322591a306a64ff3bf72f32174aad8d5f3118b17fa78a01

SHA512
77c662169359bd6aa9cdab32ad7f42b96646f997244f607a82c3d4f5a89fcccad4d9aa88ef64b0cf85189a257406640f5b0a9beb79932ad5ed9a4e13de54ba86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e7df.TMP

Filesize
48B

MD5
0535213ebd74af78265486e72a92018b

SHA1
dffb4f2043e8e9f3b8e534a576133577553fdde0

SHA256
8875de630e4ff1605a42aa36ce64c333ca370a60c5f6d03f3d6e19d3f8147f9f

SHA512
3f72d0f7aec47e2c4367fdfac4da583a890572fbaaba09420833fd0b7067d298603c4d6513279d3104359dfcda4c5fb28fa283bdd964ccdbdf2e7dfec1bb8d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7772e879a31a0e151cdfc263a0360fd

SHA1
469b05f4aa3bf58bbeaa7e3a7512005b792a0a73

SHA256
d0a32a43fc00e396628f36e48bbc4fa78522bed199c8a6641052c609edbee9aa

SHA512
fba20131c3d4dc419a79901022d17fa3714947bdaf23eb00e54ce563561ba4bcaa473befe465182b75c42685d72466676a465bbec348df57178e5b2c88ed67ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aeda09e3a7efe9e9a3bde03e89c9745e

SHA1
525b98ae2f6a566dcbb1a05b8f9d3d5b2ae54711

SHA256
f9798b8f860341591f95ce5db68537e551664a24388d8d0f5421a414f663d9d9

SHA512
81f2eb9eff9dc0081e10230930de2d0ab9c3563364743ed7ef0489dc8dfa685b83085739f0b3b7890fe65199f4498543a18132964c8955311b25aa14b8a1d056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ea5b2b9d196f36dc8c6f3a715e3c11aa

SHA1
bfe2af3faf45d796be60623096b7d9e1e086f7c0

SHA256
05c60bc47be38eb9edd1c62280f71cfa5ad51bc20d6042322f6271b7f006298b

SHA512
3cb2b7e0a6cf7d2c5b1cdf824a07b5048de34c25e51f46c43254d5115e13dc20210d9d952c29477f738bffd619498e3a98026857c7160f1c1553adf8344951cd

Download Submit
C:\Users\Admin\Downloads\gX GrABBER.exe

Filesize
78KB

MD5
6aa66cda9c7e1fc4599c0d852b1ea94d

SHA1
cfd548fc2208dd5bda08cade3795e14d18104c36

SHA256
fbed570f3821debe1bba3e3ad7a2297e46976e77184ae514a00ef46ce293bcfe

SHA512
6c913f10b7a347d299fb426e1983394c6eccf3aa42314eef11a54ae3e0df84c36bcf8ae526b168cbaed886fd017536d0028d2a772714794d690c41e356dc8d30

Download Submit
C:\Users\Admin\Downloads\gX GrABBER.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/4200-207-0x00000246BD060000-0x00000246BD078000-memory.dmp

Filesize
96KB

Download
memory/4200-208-0x00000246D7700000-0x00000246D78C2000-memory.dmp

Filesize
1.8MB

Download
memory/4200-209-0x00000246D7F00000-0x00000246D8428000-memory.dmp

Filesize
5.2MB

Download
memory/4200-227-0x00000246D79D0000-0x00000246D7A78000-memory.dmp

Filesize
672KB

Download