meduza | hxxps://github[.]com/ordogos2/g575/releases/download/Download/setup[.]7[.]0[.]zip

Analysis

max time kernel
48s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-10-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ordogos2/g575/releases/download/Download/setup.7.0.zip

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2552-89-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/2552-94-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza

Executes dropped EXE 1 IoCs

pid	Process
2552	setup.7.0.exe

Loads dropped DLL 1 IoCs

pid	Process
4428	setup.7.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
24	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 2552	4428	setup.7.0.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
860	cmd.exe
2436	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe:a.dll	setup.7.0.exe
File opened for modification	C:\Users\Admin\Downloads\setup.7.0.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2436	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
1852	msedge.exe
1852	msedge.exe
3300	msedge.exe
3300	msedge.exe
4724	msedge.exe
4724	msedge.exe
2636	identity_helper.exe
2636	identity_helper.exe
2552	setup.7.0.exe
2552	setup.7.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	setup.7.0.exe
Token: SeImpersonatePrivilege	2552	setup.7.0.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3404	1852	msedge.exe	78
PID 1852 wrote to memory of 3404	1852	msedge.exe	78
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 4996	1852	msedge.exe	79
PID 1852 wrote to memory of 3824	1852	msedge.exe	80
PID 1852 wrote to memory of 3824	1852	msedge.exe	80
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81
PID 1852 wrote to memory of 768	1852	msedge.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ordogos2/g575/releases/download/Download/setup.7.0.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff997143cb8,0x7ff997143cc8,0x7ff997143cd8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3890262007668154755,3896895380996746192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2744

C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe
"C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4428
- C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe
  "C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:860
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
b1085ce8e3d93ea0234a32167b0cdbbe

SHA1
1414c03014ffa063dbad4d32fe4129e8de042855

SHA256
0f3c541243ae0a25ac66db6dbbf15859cd787160c3ae5135d0b497444bf68ad1

SHA512
af1ba922ba3c7b3f0c08d29e03ff349241175269be57d640d35003fd16c94067546fc9e1f0234c2efb4a14439404eb4f5cd231863add5d123c0ca9678c48c238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
5121216f591165fb33afaa69a77bdf93

SHA1
07e7b942c2f673853f9757a16c9bdceabd5a9d25

SHA256
af06b304092a8dafa322a71eac7c8e289a62224069f9f6c6a99c3a751fbe4322

SHA512
ab7e939cae97b513ceb7c8861282779b45ed58d32b3f310907e8bfd4205a1732208b14bfd5fbf1016238e450cab42580a4a70c7b02ca6c0171656cd6df8b2b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6613f160c51c08d0db75936af0d4ff6

SHA1
84ba3bd8c20dc6168c9907a201e689fdb2c3201a

SHA256
55ad650802007ad21b29f76a3f373c3f08e64e745a95fda1d1d059fb48d7d067

SHA512
82323b599e9f86b6991e337abdb37f90cac23916c81ec122e1ed925a7fdde2ca10270f7ee295f9ab5d7f7b535725175d3c1bd15ed5816f0cf3a5e679433ca4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00dd4b21fa9feeb5ce5ad93f6762d534

SHA1
9cbebd9ce0ff398729b9746f0f767b4f845c8f8c

SHA256
4ab626519ee571e8ea51f71abff1dfc312b03bb23ee4326dded26fc10a556de2

SHA512
a11411508b946b3ab3963e7a54109c1231aca1aa853249e02d3d61e93d65e1f05d5260c0772d1aede845b0317eac9ab1407fa08b9bfeca4a256b4a8b95b67a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
19fa416f406fc08a41d0630fd0c3bbf4

SHA1
53adb34eddd002dcd860ff20f29df852b4a44c78

SHA256
b12b01473c304036195f05f2cfae936d8306c9836530bcabb8717a421e0c0724

SHA512
0fee49459232c1a575d2b41b9dc12b27f7d1e88500f08c7ea8dae919bf4567778fac39faa027f7d900a217e37df5ea79b3a940096ad8b2086bc06b6e19246e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f6a1fe9d7f398481c62426e8e462b9e

SHA1
e26d65229b529061abb2ca0cef8a12eb53a28494

SHA256
54da8aab1167e4391b4fb63ef10d7adbfab0409f40607ba5c8c8e6dd3947f662

SHA512
74b32b12d5b2cda97318ef0e5f0d78c6cd38a39a799ae998d42202f099bdbde6e23cb552e0aa7237cd10fd5c8f8f2cc31ba392029b0a256224d52771ece85162

Download Submit
C:\Users\Admin\Downloads\setup.7.0.zip

Filesize
1.3MB

MD5
32711b39d30ad158f10dca650dcf20bc

SHA1
28024ef92736dedc70aaf7e558062d8878b2d6d5

SHA256
38f09edc87d2d94f3e8fe2e6119be2285e2e0afd64d0c4a53f7d62c9d8f9cbf3

SHA512
7964210fe6832d333b0b61a46ccd974d751d2a4501159c67763efcd245f57e36820bcede7bdca088ddc9c2274eb4db8d56f62cfa3cb0df8830ffad8d1fb11ed2

Download Submit
C:\Users\Admin\Downloads\setup.7.0.zip:Zone.Identifier

Filesize
546B

MD5
c521f4472de0723b0b52434f76255222

SHA1
27e3f0f4f1c702bd9bc444351c9831241f9499ad

SHA256
e407628a9bc340fbe0722bc76fd042c11e43b4559082e5c5613178b8e1307a68

SHA512
4ef92d6e4db075464b655e21f93d718a6985779b291bc16c037eb76fe626b05fbd514b47396f740d4a8f40c8bca3b288c413be5db9d8245cb87b6661ce2cc9b9

Download Submit
C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe

Filesize
1.7MB

MD5
994bb906f5c652d50b21a45c76c530c1

SHA1
ad90263d8b82f065a56efc728f6e226a60196792

SHA256
1a471d692acc84510b6af7c3ca4953823177bd4af8b569480a7e0862f88587e0

SHA512
6a99872d9884a1d609f984038fb661ac4e44608591d14cdb76741ecbb9bd5bfb6d1edb9f07c45865837502bc6b5dee74947179dd1eb38a4d7c1f7b2a30ca139c

Download Submit
C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe:a.dll

Filesize
1.4MB

MD5
7174024be7da44564fb982f235475e91

SHA1
e85017e81251e3b4463c63657af78c4fd6166032

SHA256
68c07fa0a1704dc6465f6eac11c24b9c018a7c4c9a182613c69c29f70ead91bb

SHA512
e03535c0b22c1ab80f2a6463dbdfe7d34d5e6fbb3a865436c93abc5046faefc1f227a7280315825331d6b237e9bf3a1134339689599e6577530f87bf0a013b3a

Download Submit
memory/2552-89-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2552-94-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4428-91-0x00007FF615550000-0x00007FF615705000-memory.dmp

Filesize
1.7MB

Download
memory/4428-93-0x00007FF983850000-0x00007FF9839B4000-memory.dmp

Filesize
1.4MB

Download