redline | 436b9511af9e1d768d3f16e2e8031b2a6d9d165b5dbe38bfc423699666c80b23

Analysis

max time kernel
168s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.acbe32c3784fa220a4fabd3467bce710.exe
Size

309KB
MD5

acbe32c3784fa220a4fabd3467bce710
SHA1

8e8eff7e5f13bdfa6dd364cc2ce376ca3db0ef6a
SHA256

436b9511af9e1d768d3f16e2e8031b2a6d9d165b5dbe38bfc423699666c80b23
SHA512

ef4b2d7eb2c9af5e8346784dfae402e3632e95727ff8672eb8655df03bfac571f87278e87e31b2eec456c92aea76f3f360914b47c58d4c9b37afe1aebda2d9e7
SSDEEP

3072:8r087cQ7PNEfXy8RVb8F1Ib9OROwVL/Aw2pQTAFYfiga6rJeeIcj9jIuY:8r04FWRt8Fib9OoYf2mTAum4J0s

Score

10^/10

redline @skayoker38 microsoft infostealer phishing

Malware Config

Extracted

Family

redline

Botnet

@skayoker38

94.142.138.4:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4796-1-0x00000000005C0000-0x00000000005FE000-memory.dmp	family_redline

Detected potential entity reuse from brand microsoft.
phishing microsoft
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1184	msedge.exe
1184	msedge.exe
4648	identity_helper.exe
4648	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1184	4796	NEAS.acbe32c3784fa220a4fabd3467bce710.exe	91
PID 4796 wrote to memory of 1184	4796	NEAS.acbe32c3784fa220a4fabd3467bce710.exe	91
PID 1184 wrote to memory of 4704	1184	msedge.exe	92
PID 1184 wrote to memory of 4704	1184	msedge.exe	92
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 3852	1184	msedge.exe	95
PID 1184 wrote to memory of 1404	1184	msedge.exe	94
PID 1184 wrote to memory of 1404	1184	msedge.exe	94
PID 4796 wrote to memory of 1720	4796	NEAS.acbe32c3784fa220a4fabd3467bce710.exe	96
PID 4796 wrote to memory of 1720	4796	NEAS.acbe32c3784fa220a4fabd3467bce710.exe	96
PID 1720 wrote to memory of 4644	1720	msedge.exe	97
PID 1720 wrote to memory of 4644	1720	msedge.exe	97
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98
PID 1184 wrote to memory of 4724	1184	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.acbe32c3784fa220a4fabd3467bce710.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.acbe32c3784fa220a4fabd3467bce710.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=NEAS.acbe32c3784fa220a4fabd3467bce710.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97b0c46f8,0x7ff97b0c4708,0x7ff97b0c4718
    3⤵
    PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13152515634483308594,4623105823920200950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=NEAS.acbe32c3784fa220a4fabd3467bce710.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97b0c46f8,0x7ff97b0c4708,0x7ff97b0c4718
    3⤵
    PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4c4a6e3fd53259ced4ed2ee12e1b73a2

SHA1
e477abe6debd20ac9bd22a7b6d7b4b0d3926e45d

SHA256
40d812609b40b07d35f1e09f390ca0e376ecf2dce700c62536cc464df5a6365b

SHA512
94fe5d6c2d9367139a79e7004127d28036e24988b99d8b54f09137f1f0c75a7dc90e184cf9f54f098dcf864e28e385d0adbc67bc09081f79d7338b9000408c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e3e4f4cd45dc98d1dd49ddbf3449c52

SHA1
d288331484edd53396aedcd51b53b3ce7b06569a

SHA256
1e1d18a7bddea80039b07351677ad129342f4ce744713772ed893ff7c86a0434

SHA512
d16018fe363356ac137ac98929c322fd2bfd00d1f85c001f25a1bb51ab0525543ef4c37f08953addc54727cba570174430a5780efca12db7edeeb5fbe5af64a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
26356e4d5ac364ac1a98bb4070ed6919

SHA1
f2d3edee35149e00aeb857350703e83a548ec984

SHA256
a724746660e4ede3a47fe6a5b38de1b69a115d1461f32127398c3eb3349a43b8

SHA512
52576819caa9e8ec72975b1bc4b4173e2b5c21784095da99829eac1852ef4025d957bdd7de982ad5ee62a886cc102848ffb87e75f23fa39cc61372c3caef9b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec11cfcb44dbee74d2753b47d0818de7

SHA1
9a7fe46de7b39c56c194477b5ed16f1d80e2ade6

SHA256
b5fe74d26bd8f382ff49be16584342ef960386f7e767cb8bd7b11ba7e793bb89

SHA512
07839026fb53da6f57240bf26fe054873fdd9f4233de0567ff5b1b0d23e9929c4a852e8460d78871847fd4988dd859f6969010bc2b74c9fe4257d9e024a92cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
f608d2212cc94dca26571971930ee141

SHA1
9336ec0da851d9b0b83f17e3c71c1b46ee74dd3f

SHA256
69eeae97f2ff44580865933b98a58b4511a8b502383e9b4de54e17a4f5583969

SHA512
ce1bc067dfcc01874bc39dd523b697c27eb8d7bea1fc33ddea72f67e409b1a0504f84e918cb94059a27386d0cf0cd89150223850ba4cd43a06d3111d01c02345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
3596712f968f97776535f1546a713f9f

SHA1
ff3e4c6f8b59807adb112bd4c39d515b16665e1f

SHA256
aac26de83f60402c7373320d7e7abe7c82b0952f31a9f4e92e70b2a91e5c4603

SHA512
a6eb92697770f16c8dd3c0160f557ee6a3ae45585e1e45d04b303e7a04a12e5b68a999b396b8456f1d6708b1a40abc30f24592d3de6aa2979cdc64ef59284b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593e86.TMP

Filesize
203B

MD5
af2acbc5b43caf2d54e0943134836066

SHA1
b023762feefb7ca10ce52c4235532d0db38fe10b

SHA256
814779e1544f489afed497840e37873d5ea0d349f1c8264bf3844778b4615611

SHA512
2220fd98874bc8308090dac36e35c92d0bb90924bbee1c291a0bb74b92ea0c2c9fe8c123673142c5c70f7be4dcf33c7cd6eed9e4ec4df3c90c064ed9e62da8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6df38f6867a4a7172d32f08b71333ebd

SHA1
2ca307d8cfe4c3331b157b24808e2f3f94fc70b2

SHA256
e9217c29ef4b689811e3e7af816a5d1b3e0785d97e8439bba964aa6c5ce02d6a

SHA512
62568eeece5adb52162f2bceac12417af1f08a11bc0d399602c72b66cd0e068fdbb82550eedeb8b11e9c0f347078346773182f3e7a0b547218cf30693a2bf2db

Download Submit
memory/4796-1-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download
memory/4796-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download