Analysis
-
max time kernel
161s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 16:48
Behavioral task
behavioral1
Sample
Aurora_V2/Aurora.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Aurora_V2/Aurora.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Aurora_V2/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Aurora_V2/scripts/scripts.dll
Resource
win10v2004-20240226-en
General
-
Target
Aurora_V2/Aurora.exe
-
Size
620KB
-
MD5
403c733d425c072e88fc4a61595519dc
-
SHA1
ad25c881299ef6ac612ea36cdd40884caa479ba4
-
SHA256
96666cb323337b2fc5e3b87369639e637df2bb864a18422fd115c0f8f198b879
-
SHA512
1a30c2be85ec14cb644f3a81062a05b2759c09b6e29245a6856320f47865cd207b694feac6951e1d91c2350cfbe0bdbca2b302d02e92e3286de7bd2b9aafcf3e
-
SSDEEP
12288:vSIl566+QljEifBxARfzH5tCe7xChZZ8F39YaLFWlrSpKKIul5:Z5qUEi0RfzF7cH8waLQlaIul5
Malware Config
Extracted
redline
@dxrkl0rd
45.15.156.167:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4744-0-0x0000000000410000-0x0000000000460000-memory.dmp family_redline -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4088 msedge.exe 4088 msedge.exe 3084 msedge.exe 3084 msedge.exe 3396 identity_helper.exe 3396 identity_helper.exe 1512 msedge.exe 1512 msedge.exe 1512 msedge.exe 1512 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Aurora.exemsedge.exedescription pid process target process PID 4744 wrote to memory of 3084 4744 Aurora.exe msedge.exe PID 4744 wrote to memory of 3084 4744 Aurora.exe msedge.exe PID 3084 wrote to memory of 3156 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 3156 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 1132 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4088 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4088 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe PID 3084 wrote to memory of 4552 3084 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Aurora.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd17446f8,0x7fffd1744708,0x7fffd17447183⤵PID:3156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:1132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:83⤵PID:4552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:4296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:13⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:13⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:13⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:13⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:13⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:13⤵PID:4884
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6011383603937828721,12604543545001428305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5472 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Aurora.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵PID:2384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd17446f8,0x7fffd1744708,0x7fffd17447183⤵PID:752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD521ab4055edcc8f16a402c4ca596f6bf3
SHA1e50148f7c8163c230569b2add80a4d7b8c195d60
SHA256da351b697661574a3d5e82e38077e273d55b74123621484308ffba268a9350be
SHA512e8a30e0ccf9aba151d3ac058804819759e9bff934a89fcb2f276d7fc6dde9a0c95ea555f33e88c800c64231e2cec8c39d54f81e5cf76d9207c51c1fc3bb79235
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b36503e7d230dc4595ef36eae7859c24
SHA152ef8c61508a9d6030db01194636d249dfdfdba8
SHA256053a3512349248c141501978ea77ed7b904ee22c3f3fb9177632cc5ae9cf9bb7
SHA512a3185cb5678f318f252f0c9f3be94e5b34061009c446741714b015d729625cd3a3e94a3829196fd86e012aefc9fc1300573589b507c218952b73ee490ad81c6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fb671213db98f0fa0e151befb2637cf5
SHA1c7f6591ca08c5b452e0d9d14eca0e16d2f8ce4fe
SHA256c239a3656dcd7ff7d60ba5ee23005a2f0461634d7c0b43529b464870ae7412a3
SHA5122b53908477e70275b5ea814348e6e1418d190d97d9aa0bb7bcb77959b9c6c6df0598f44a6cc05e3304178e93e9d55c817c72ecf1012ac4f2d1e8c3b77360eac8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD545b4df9195383628b8bbaf0d4fd63d37
SHA174b38d987a3d1ee73a53a7ed6070c34e837cf097
SHA256e5b89ae49d3f8152094118dc5e1a2e49506e8523cbd76f8c0c094628b7c1fbdf
SHA51286dc6a804b2eb8abc83469feea692e4ad76ee0f17fafaba7d95cbbbdf46265403202004609f4a3eb11ff75a74e0258b550d1febd93fb6910ddb5b49d20cbffa1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
371B
MD5d15219ebf07aa0e7ed70e7304aae9449
SHA1c35ed0300dd12af0f3f1197ce119c345ac0a6385
SHA25676d65f30bad78fde65dedaa453d8e374dee450efe95279d1e701c16595d7d1fa
SHA512b703e4af8e41948e101c964f2e370c844f4c7511b68773c16dbb3b0daff2dbc1559371dc3208ced50a27d6175a1b6f2ca54aa9e46f96913f19806f8790ef9c98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58216e.TMPFilesize
203B
MD59a14c36f8c73de60eb93760d06d1ad3e
SHA199e72ccb8b367d7a365e67d5e5621005cb9999eb
SHA25697fd9f29f64a134f3abcbc61016965a062ac4c77da7f5da1d01af37dd6043529
SHA512bce57149c9fa035a35b5b477bbfe6e6d1b6d72bb8741bd19a517a78ebbbbbf7a85150706a8103acad7a94db19f6a41f04849298f0a3802b35caffc8e023727b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d19249203275b7f82267f943c11d5874
SHA100107aba09aa1e7b020d8797a67832863aebbaf1
SHA256834e05f857392ff05b98b6f00ab2e46eae69a143421defd10ab4ab70688f5331
SHA512025aca5b3d2d9c65249fd088e608bd2ba676ee864d9de01885a71050ca1e3843b2d1671f6fedffbcf467e08861c112678d2b7ed17ed5fc74a92c375064ddffb4
-
\??\pipe\LOCAL\crashpad_3084_DQPGLERNDVYVWRUVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4744-0-0x0000000000410000-0x0000000000460000-memory.dmpFilesize
320KB