redline | ba00978fa3933d128d43f7be77ecd4323284b4bdf1ac80ac0315ef09802749ae

Resubmissions

01-03-2024 16:49

240301-vbnvaaab4x 10

01-03-2024 16:48

240301-vbjwbsab4v 10

Analysis

max time kernel
161s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora_V2/Aurora.exe
Size

620KB
MD5

403c733d425c072e88fc4a61595519dc
SHA1

ad25c881299ef6ac612ea36cdd40884caa479ba4
SHA256

96666cb323337b2fc5e3b87369639e637df2bb864a18422fd115c0f8f198b879
SHA512

1a30c2be85ec14cb644f3a81062a05b2759c09b6e29245a6856320f47865cd207b694feac6951e1d91c2350cfbe0bdbca2b302d02e92e3286de7bd2b9aafcf3e
SSDEEP

12288:vSIl566+QljEifBxARfzH5tCe7xChZZ8F39YaLFWlrSpKKIul5:Z5qUEi0RfzF7cH8waLQlaIul5

Score

10^/10

redline @dxrkl0rd microsoft infostealer phishing

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

45.15.156.167:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4744-0-0x0000000000410000-0x0000000000460000-memory.dmp	family_redline

Detected potential entity reuse from brand microsoft.
phishing microsoft
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4088	msedge.exe
4088	msedge.exe
3084	msedge.exe
3084	msedge.exe
3396	identity_helper.exe
3396	identity_helper.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe
3084 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Aurora.exemsedge.exe

description	pid	process	target process
PID 4744 wrote to memory of 3084	4744	Aurora.exe	msedge.exe
PID 4744 wrote to memory of 3084	4744	Aurora.exe	msedge.exe
PID 3084 wrote to memory of 3156	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 3156	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 1132	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4088	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4088	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe
PID 3084 wrote to memory of 4552	3084	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Aurora.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd17446f8,0x7fffd1744708,0x7fffd1744718
3⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
3⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
3⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
3⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
3⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
3⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
3⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
3⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
3⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
3⤵
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
3⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
3⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5472 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Aurora.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd17446f8,0x7fffd1744708,0x7fffd1744718
3⤵
PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
21ab4055edcc8f16a402c4ca596f6bf3

SHA1
e50148f7c8163c230569b2add80a4d7b8c195d60

SHA256
da351b697661574a3d5e82e38077e273d55b74123621484308ffba268a9350be

SHA512
e8a30e0ccf9aba151d3ac058804819759e9bff934a89fcb2f276d7fc6dde9a0c95ea555f33e88c800c64231e2cec8c39d54f81e5cf76d9207c51c1fc3bb79235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b36503e7d230dc4595ef36eae7859c24

SHA1
52ef8c61508a9d6030db01194636d249dfdfdba8

SHA256
053a3512349248c141501978ea77ed7b904ee22c3f3fb9177632cc5ae9cf9bb7

SHA512
a3185cb5678f318f252f0c9f3be94e5b34061009c446741714b015d729625cd3a3e94a3829196fd86e012aefc9fc1300573589b507c218952b73ee490ad81c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fb671213db98f0fa0e151befb2637cf5

SHA1
c7f6591ca08c5b452e0d9d14eca0e16d2f8ce4fe

SHA256
c239a3656dcd7ff7d60ba5ee23005a2f0461634d7c0b43529b464870ae7412a3

SHA512
2b53908477e70275b5ea814348e6e1418d190d97d9aa0bb7bcb77959b9c6c6df0598f44a6cc05e3304178e93e9d55c817c72ecf1012ac4f2d1e8c3b77360eac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
45b4df9195383628b8bbaf0d4fd63d37

SHA1
74b38d987a3d1ee73a53a7ed6070c34e837cf097

SHA256
e5b89ae49d3f8152094118dc5e1a2e49506e8523cbd76f8c0c094628b7c1fbdf

SHA512
86dc6a804b2eb8abc83469feea692e4ad76ee0f17fafaba7d95cbbbdf46265403202004609f4a3eb11ff75a74e0258b550d1febd93fb6910ddb5b49d20cbffa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
371B

MD5
d15219ebf07aa0e7ed70e7304aae9449

SHA1
c35ed0300dd12af0f3f1197ce119c345ac0a6385

SHA256
76d65f30bad78fde65dedaa453d8e374dee450efe95279d1e701c16595d7d1fa

SHA512
b703e4af8e41948e101c964f2e370c844f4c7511b68773c16dbb3b0daff2dbc1559371dc3208ced50a27d6175a1b6f2ca54aa9e46f96913f19806f8790ef9c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58216e.TMP
Filesize
203B

MD5
9a14c36f8c73de60eb93760d06d1ad3e

SHA1
99e72ccb8b367d7a365e67d5e5621005cb9999eb

SHA256
97fd9f29f64a134f3abcbc61016965a062ac4c77da7f5da1d01af37dd6043529

SHA512
bce57149c9fa035a35b5b477bbfe6e6d1b6d72bb8741bd19a517a78ebbbbbf7a85150706a8103acad7a94db19f6a41f04849298f0a3802b35caffc8e023727b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d19249203275b7f82267f943c11d5874

SHA1
00107aba09aa1e7b020d8797a67832863aebbaf1

SHA256
834e05f857392ff05b98b6f00ab2e46eae69a143421defd10ab4ab70688f5331

SHA512
025aca5b3d2d9c65249fd088e608bd2ba676ee864d9de01885a71050ca1e3843b2d1671f6fedffbcf467e08861c112678d2b7ed17ed5fc74a92c375064ddffb4

Download Submit
\??\pipe\LOCAL\crashpad_3084_DQPGLERNDVYVWRUV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4744-0-0x0000000000410000-0x0000000000460000-memory.dmp

Filesize
320KB

Download