Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 14:56
General
-
Target
israbokchat.exe
-
Size
756KB
-
MD5
da12c6ff5cd8c76ea98749f8cecca7e0
-
SHA1
320f3efb2d9e2f40a2f572600b594f6d0d962ca9
-
SHA256
11ac419df5e4ff7f40024c59c4eef2376b73ce230a74d76532e02794965798fc
-
SHA512
bc38df1580a168d0c4c83ce15aff98d86f0a96f26ebc12eb1d966ec8370ecdf17786f7c98fbd3496a91c8e33b09070975d667ed55c60d3e3a3c91f9f4570ecfd
-
SSDEEP
12288:v9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9KlKebJR:ZZ1xuVVjfFoynPaVBUR8f+kN10EBPhO
Malware Config
Extracted
darkcomet
Guest16
6.tcp.eu.ngrok.io:12633
DC_MUTEX-CMZ8PA7
-
gencode
B5x3C3ZaFyH2
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
israbokchat.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" israbokchat.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
israbokchat.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" israbokchat.exe Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4240 attrib.exe 4612 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
israbokchat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation israbokchat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
israbokchat.exedescription pid process target process PID 2740 set thread context of 1560 2740 israbokchat.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 5004 msedge.exe 5004 msedge.exe 5060 msedge.exe 5060 msedge.exe 5556 identity_helper.exe 5556 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
israbokchat.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2740 israbokchat.exe Token: SeSecurityPrivilege 2740 israbokchat.exe Token: SeTakeOwnershipPrivilege 2740 israbokchat.exe Token: SeLoadDriverPrivilege 2740 israbokchat.exe Token: SeSystemProfilePrivilege 2740 israbokchat.exe Token: SeSystemtimePrivilege 2740 israbokchat.exe Token: SeProfSingleProcessPrivilege 2740 israbokchat.exe Token: SeIncBasePriorityPrivilege 2740 israbokchat.exe Token: SeCreatePagefilePrivilege 2740 israbokchat.exe Token: SeBackupPrivilege 2740 israbokchat.exe Token: SeRestorePrivilege 2740 israbokchat.exe Token: SeShutdownPrivilege 2740 israbokchat.exe Token: SeDebugPrivilege 2740 israbokchat.exe Token: SeSystemEnvironmentPrivilege 2740 israbokchat.exe Token: SeChangeNotifyPrivilege 2740 israbokchat.exe Token: SeRemoteShutdownPrivilege 2740 israbokchat.exe Token: SeUndockPrivilege 2740 israbokchat.exe Token: SeManageVolumePrivilege 2740 israbokchat.exe Token: SeImpersonatePrivilege 2740 israbokchat.exe Token: SeCreateGlobalPrivilege 2740 israbokchat.exe Token: 33 2740 israbokchat.exe Token: 34 2740 israbokchat.exe Token: 35 2740 israbokchat.exe Token: 36 2740 israbokchat.exe Token: SeIncreaseQuotaPrivilege 1560 iexplore.exe Token: SeSecurityPrivilege 1560 iexplore.exe Token: SeTakeOwnershipPrivilege 1560 iexplore.exe Token: SeLoadDriverPrivilege 1560 iexplore.exe Token: SeSystemProfilePrivilege 1560 iexplore.exe Token: SeSystemtimePrivilege 1560 iexplore.exe Token: SeProfSingleProcessPrivilege 1560 iexplore.exe Token: SeIncBasePriorityPrivilege 1560 iexplore.exe Token: SeCreatePagefilePrivilege 1560 iexplore.exe Token: SeBackupPrivilege 1560 iexplore.exe Token: SeRestorePrivilege 1560 iexplore.exe Token: SeShutdownPrivilege 1560 iexplore.exe Token: SeDebugPrivilege 1560 iexplore.exe Token: SeSystemEnvironmentPrivilege 1560 iexplore.exe Token: SeChangeNotifyPrivilege 1560 iexplore.exe Token: SeRemoteShutdownPrivilege 1560 iexplore.exe Token: SeUndockPrivilege 1560 iexplore.exe Token: SeManageVolumePrivilege 1560 iexplore.exe Token: SeImpersonatePrivilege 1560 iexplore.exe Token: SeCreateGlobalPrivilege 1560 iexplore.exe Token: 33 1560 iexplore.exe Token: 34 1560 iexplore.exe Token: 35 1560 iexplore.exe Token: 36 1560 iexplore.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe 5060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
israbokchat.execmd.execmd.exemsedge.exedescription pid process target process PID 2740 wrote to memory of 2268 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 2268 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 2268 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 344 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 344 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 344 2740 israbokchat.exe cmd.exe PID 2740 wrote to memory of 1560 2740 israbokchat.exe iexplore.exe PID 2740 wrote to memory of 1560 2740 israbokchat.exe iexplore.exe PID 2740 wrote to memory of 1560 2740 israbokchat.exe iexplore.exe PID 2740 wrote to memory of 1560 2740 israbokchat.exe iexplore.exe PID 2740 wrote to memory of 1560 2740 israbokchat.exe iexplore.exe PID 2268 wrote to memory of 4240 2268 cmd.exe attrib.exe PID 2268 wrote to memory of 4240 2268 cmd.exe attrib.exe PID 2268 wrote to memory of 4240 2268 cmd.exe attrib.exe PID 344 wrote to memory of 4612 344 cmd.exe attrib.exe PID 344 wrote to memory of 4612 344 cmd.exe attrib.exe PID 344 wrote to memory of 4612 344 cmd.exe attrib.exe PID 5060 wrote to memory of 1804 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 1804 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 548 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 5004 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 5004 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 4956 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 4956 5060 msedge.exe msedge.exe PID 5060 wrote to memory of 4956 5060 msedge.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
israbokchat.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern israbokchat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" israbokchat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion israbokchat.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4240 attrib.exe 4612 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\israbokchat.exe"C:\Users\Admin\AppData\Local\Temp\israbokchat.exe"1⤵
- Modifies security service
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\israbokchat.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\israbokchat.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Modifies security service
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffd49dc46f8,0x7ffd49dc4708,0x7ffd49dc47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5586ec74678eb095c1c262fe78aa03a70
SHA101f54c7c13bcf867f6bf1d14b92a668fdb479a91
SHA256cc15332afcb4db9c32511bd13e6f72dc10bb17d8b9a004f817c786ebed46d1af
SHA5123afae300e7319dde6346cd244e5beaa35d0a3c40c61b08e0720dba09a22e383b4352f54dec8aed5c46378b706b0d013dbfcf724b5b115b01b2a5a2b84fa1837c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e0e76b52b3b782f1bf66e55707d91ecb
SHA112bb45042ced42f4152d634b5330bd0ec13e4e83
SHA2564e96e8c7c11e541f776f449bb55f76fa6dfb767d74a9fe0d46234c6c6b0dbe43
SHA512f943f5488b84ba83da5e5bc5becf0232159920df85aacf263735f9714d90ee6092d6bde8db807fe274de6c0b84b43407782581a167ffb47764093d25fd9e279f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f6b87c49721ce68f40c9ea26be728db0
SHA10a48e6b3bddd7d87c4e49f2b83b8431417865754
SHA256a7f648616e62389285dcd1f9bffe9054dec6b0c008257b4880fb190009bff637
SHA51269f6fe2726ab69edcbe0d66894dddbb9d4108e83c1fc63f3834dc62b4c107e3c45c9be59d3ca141a0344f1d9a953836277b2c5189e572367e0fe5b97ec19ff04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ccacf3471e9dae974c80241d5cb1feb6
SHA1b3fa2e4575d8f4f077645d82834c936b269d0299
SHA2562e3d6a4ef729bc6b8ad6441b67e5edc0016b1406304edfa54cb7d5589bd4e992
SHA512ed4912bed778f24c7d4027a41f47571ddaeea63c13d90502c13bbddd6dd984a053be1cbb981b557d96a3ca2e436d5e24b0a351143e1c8008db4c27a40a7b75e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5982399188d82fef9560835dda19562a2
SHA126407cf5e28fc1610c17b31d569e0c4da39ee35d
SHA2569944e2307840c81d239d13036c006e4f11603c74d0cc88a00b9c71ff55b836c7
SHA51285ba0fc06090b5c415a7f366a855469c403e51e4269b4e2fb362f7439ec4fdad5b1ee45dec14b28245828cf9ee89da31226d668cbd24693831247efa8947610a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5e42877eecefa05aef46d466629dc8b08
SHA1b10446555c94fb6d0e284b838e448cb554ed0854
SHA2567aa9d699ebb624280a4972a38f8f04aadc943f58df3e9266b3d0211e02e7c2b8
SHA51230342764bb8d7d2fb1924aa6b0a03d2ad8077d00289e53da9c3bf4dd995aef7afe7a5f12a593d1fe4091fe1256d7dbb641d9adc6a47e4257d161c8f7fe178196
-
\??\pipe\LOCAL\crashpad_5060_RJVPSMDGLFLEVGICMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1560-1-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2740-2-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2740-0-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB