discordrat | hxxps://gofile[.]io/d/NeYK1y

Analysis

max time kernel
426s
max time network
436s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2025, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/NeYK1y

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjcxOTY0MzA1OTY4NzU0Nw.GRp5C3.1IQZKZy2MbSnSwYaKfezmz3309HRsXz7cT4OEY
server_id
1332719292151763025

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
25	4532	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
6116	errorfix.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	discord.com
28	discord.com
30	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\errorfix.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 485048.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\errorfix.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
5240	msedge.exe
5240	msedge.exe
5264	msedge.exe
5264	msedge.exe
680	identity_helper.exe
680	identity_helper.exe
1892	msedge.exe
1892	msedge.exe
5292	msedge.exe
5292	msedge.exe
5292	msedge.exe
5292	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6116	errorfix.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5240 wrote to memory of 2932	5240	msedge.exe	77
PID 5240 wrote to memory of 2932	5240	msedge.exe	77
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 5892	5240	msedge.exe	78
PID 5240 wrote to memory of 4532	5240	msedge.exe	79
PID 5240 wrote to memory of 4532	5240	msedge.exe	79
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80
PID 5240 wrote to memory of 6072	5240	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/NeYK1y
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Users\Admin\Downloads\errorfix.exe
  "C:\Users\Admin\Downloads\errorfix.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,170692228392063897,12381672429994822569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c9a3a288e68d623862e6466bd03f3a7d

SHA1
cb6bdfd1b71815803381512fc06a9c2f665b5b3c

SHA256
5a8a8f92a0b8a4094b7d655666f6da9014111ba4ace289edd8dabf5b2a4af42b

SHA512
4f92bbd463795e9928d78037d2b14e09c2bff1e5b4df70d6319d2a78db340aeaa78454f5ccad28de1941e15f4e604f2bf21e48fb4832e6801d717a6d36c0bd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af37e39de81bdee39b60eb28cc58a54d

SHA1
e743c591a8e2f0ec6082969662abf7535c444fc6

SHA256
81c5cdcf737de4b1c1ca1b11ac83ca3ead05f2ae1f6e9347cad7213a7ab56b4c

SHA512
a7d594187232d92de104eed7b1c7321d7261b62e815b87de1880df659f79884a25dedf06c5ffa15107229b8bc8215972825f82e88e562b87f4e3025684fd6c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba49f5f206d5b67b5abf4eda64c08a66

SHA1
27fddc79ecf143c3976b2fcfb9a80d924f820368

SHA256
bc5584d76c17d7770331c15fbfaed2a607abfd5c1f373513160c1caa1d203b06

SHA512
f5bf58456f371b3d6e844a231b88151294eade5d009559e2de51beb267a3b7eab63877fc48f846a8a53bc285af1a81ce9f9e1868a768573a0a440a40f5051452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5679da77aa9c7e3c3e7b063ffc143171

SHA1
1a0396fb81097dac7973cf49e0994c02ad4b531e

SHA256
81ed5c5861814c5d0ad2f7944973475f2bab9b5de963886f033ef04e336e1c59

SHA512
71561ad1b34f1f2de4bbe373666287bd800527865e205b174e6366d5161ec24345cc18f5b67bc408e6931648b5f8d77d76c4d9ec6afd7a81ccbdf1e8ac4b5080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18a427c1355f4520b7d13959881887db

SHA1
de0b3a63a8e64e18bd098dcbd86e6edae0442770

SHA256
1bc0bcf3f3fa86adc2b2c3795a9a2c3b3dedf5f585a5a5eb8b84b2935a0d780d

SHA512
b5b0758987c61c94e1c2bc4645dd1f978050bf22f0dcd240ebd70a8ff256cc7bcc463fa35ba44ffbc81385e7ad4f09261afad1c60c2b54a3cafc96e7fadef2cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b8f7fb42ef73869712109cd42acc1a74

SHA1
12c11f621267075be831ad9ee0c90e24f06815d1

SHA256
db7332edf277d77698b6f9b45e2949f0eca0c02bb9034f8f3dab880f861a8cf6

SHA512
2a41f51cd5f5d3c0c85e8595862fcdde4ca731d4e8ec35cc2d419562fdb8d1fbf58daa6b8be652e6cd91664cadcd2ed2dee79f97381b4a95ca741be4076427af

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 485048.crdownload

Filesize
78KB

MD5
8b7621e5f2a0df6800250a2ddc35c86e

SHA1
a79d6517d8785490abd3b7cd5921975251395994

SHA256
b3ff63670fe419a60a0b1bddced6d6dcf3fef46071d603eae179715b8325b1f1

SHA512
f5d7c1c020dc337ea0aa31b606ef7cf3494e816e8a1d7d720da124b00343060bab6be31d0fb1cdbf199a35c673c77c1ec9daca9e05ea46ba601cbb64fa487c48

Download Submit
C:\Users\Admin\Downloads\errorfix.exe:Zone.Identifier

Filesize
155B

MD5
2d0fa10aa1887103d7f2cb13889c6afb

SHA1
385be2affdc2a02ceb75b4e6a75a5b7827cbefe9

SHA256
80a1cd6e30145fa9be050112d831d9bf978472b0be2cb2935cbc0d4243e36fb6

SHA512
530a0a2c5aae7746fa445feaa40c9277346e36b9ea6f71881f8d950d705395a088c0ac895bd01736bd64d226761a38daad1dd2180606405f0f564d6bfea59caa

Download Submit
memory/6116-88-0x00000188890D0000-0x00000188890E8000-memory.dmp

Filesize
96KB

Download
memory/6116-89-0x00000188A3870000-0x00000188A3A32000-memory.dmp

Filesize
1.8MB

Download
memory/6116-99-0x00000188A41C0000-0x00000188A46E8000-memory.dmp

Filesize
5.2MB

Download