The modules downloaded from ECAT Agent machines are stored in the ECAT Server default location C:\ECAT\Server\Files folder.

The modules downloaded reside within a sub-folder under the C:\ECAT\Server\Files folder.

Where the filename from ECAT Agent machine is renamed into a filename format of:
filename_SHA256_random.fileExtension_

An example, filename:
reportdrivemap_0b1757fcfe8dea7c783112f6e4db5556114be8738f9edbfed264dcf67f0564ac_27985nm.bat_

The directory that the file is in under the C:\ECAT\Server\Files folder is a directory with the first 4 Capital characters of the file's SHA256 value.

For the above filename example the file will be in the ECAT Server folder (default) C:\ECAT\Server\Files\0B17

The C:\ECAT\Server\Files\# folder will contain the MFTs (Master File Table), and MEMORY_DRIVER files downloaded from the ECAT Agent machines.

The random alpha/numeric characters in the file name is to avoid rare cases where certain hash algorithms can result in a collision with the same hash value for different files.

The path of the downloaded module can also be shown in the ECAT UI by following the steps below.

1. Click on Downloads under the Main Menu.
2. Click on the file of interest.
3. Click on Properties on the right to open the Properties panel.
4. Review the information under File.Download.

It shows information like the, Relative File Name (hpbuio32_77aff5fe4ece571718a382a753ebaaa9561b1c7f980d5be63c057ef23701d1e5_9745.dll_) and Relative Path (77AF\) to the file.