meduza | hxxps://github[.]com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7[.]0[.]zip

Analysis

max time kernel
450s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
153
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1248-78-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/1248-82-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 1 IoCs

pid	Process
1248	setup7.0.exe

Loads dropped DLL 1 IoCs

pid	Process
4672	setup7.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
22	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4672 set thread context of 1248	4672	setup7.0.exe	96

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
932	PING.EXE
3728	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe:a.dll	setup7.0.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe:a.dll	setup7.0.exe
File opened for modification	C:\Users\Admin\Downloads\Setup7.0.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe:a.dll	setup7.0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
932	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
4660	msedge.exe
4660	msedge.exe
3280	msedge.exe
3280	msedge.exe
3984	msedge.exe
3984	msedge.exe
4060	identity_helper.exe
4060	identity_helper.exe
1248	setup7.0.exe
1248	setup7.0.exe
3192	msedge.exe
3192	msedge.exe
1856	msedge.exe
1856	msedge.exe
3124	msedge.exe
3124	msedge.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	setup7.0.exe
Token: SeImpersonatePrivilege	1248	setup7.0.exe
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	1596	firefox.exe
Token: SeDebugPrivilege	4640	taskmgr.exe
Token: SeSystemProfilePrivilege	4640	taskmgr.exe
Token: SeCreateGlobalPrivilege	4640	taskmgr.exe
Token: 33	4640	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4640	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe
1596	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe
4640	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5056	MiniSearchHost.exe
1596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4380	4660	msedge.exe	77
PID 4660 wrote to memory of 4380	4660	msedge.exe	77
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 4688	4660	msedge.exe	78
PID 4660 wrote to memory of 2528	4660	msedge.exe	79
PID 4660 wrote to memory of 2528	4660	msedge.exe	79
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80
PID 4660 wrote to memory of 3968	4660	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffd0c4e3cb8,0x7ffd0c4e3cc8,0x7ffd0c4e3cd8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,10692409567817706519,7372715098055604372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4280

C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4672
- C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe
  "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1248
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3728
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:932

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0c4e3cb8,0x7ffd0c4e3cc8,0x7ffd0c4e3cd8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,557319325673593348,15952351933285770240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe"
1⤵
- NTFS ADS
PID:424

C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Setup7.0.zip\setup7.0.exe"
1⤵
- NTFS ADS
PID:3860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1888 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed623da2-41b3-4206-a3d5-f8efbe1f8182} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" gpu
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e2c83d-1f57-49e2-8000-9d3acafbf173} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" socket
    3⤵
    - Checks processor information in registry
    PID:1884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 3284 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f4a897b-1845-4292-9da0-7290720bf87f} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 2 -isForBrowser -prefsHandle 3136 -prefMapHandle 2972 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a1c1f5-83c2-440e-a872-ed9354bc08a4} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4792 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bf27721-c9fd-404c-ac1b-39acc545bd9c} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" utility
    3⤵
    - Checks processor information in registry
    PID:5152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 3 -isForBrowser -prefsHandle 5552 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60be8803-b76a-4398-ab61-2bb92b924bf1} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
    3⤵
    PID:5796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fccb6c77-1197-4674-a95a-4cb14c5f9780} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {056425ae-0e75-4522-9b18-f99a003e312b} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab
    3⤵
    PID:5820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4640

C:\Windows\System32\PhotoScreensaver.scr
"C:\Windows\System32\PhotoScreensaver.scr" /S
1⤵
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
214a65e61b2c17b34b4702192b071661

SHA1
1d38f3f0af5cd18e24624fd2e542b808f2619e24

SHA256
67c4b2ccc4fba6862c945cada5af01b4c3535f7b17cb128fe1cbe52805a3d0fd

SHA512
5762b3718f8154c1fd5439c0cc83a3398dcc15226231124ff8a2c9c6f3ea8d85fbbe8f2644a9720119992bd1079416031bc85aa5d7007481b9ea642bb75334db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cac9b3fa8d9bc24e9a49faee780235fa

SHA1
a6253ef0b8c96f9bc03330bd390eaa2d7d7d657a

SHA256
d1a8af3ee4e683e42d858cd465de28f15886ee6ca8baabf47f07f653ae27d8d8

SHA512
f3b9c4f08d7387801d1635235c2494a41e1517c218721b2371266c8051f03c9ee4177ed40be22ec8d7a21c9304b96907bcabf7e88e80ab88c8de1719844f2c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5f12eabb-417c-4d3a-aaf9-845b545c4527.tmp

Filesize
5KB

MD5
8d749685c1483c28064aa32921b0c7b3

SHA1
350d5927c9296b6e77b88f895fabe752d937c4cd

SHA256
cf6c0cfc99d46c60cb9da5bfc5aba057bca88aeec729b6ee85135101dcc51e78

SHA512
8d921cc643482d2bd4b9742cf2cc4c6819e37aa8faea8f1ec689fd2922969b4dfa3421f7103211cf91307d850fc5185be067f79daa1fae60e8374fdb2af667fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5d2014829d83e495a54d0a6501107134

SHA1
cf8a1508e67a6358b5cbed7e9f7e34a32645334c

SHA256
1773ef819323f396c94e104559ad6e0a4ad95a69a5b4fa429f3bdf4603cdf86c

SHA512
02b7c081b7710ecdce8921eebfa58e4b33dee7994fbf6d9af5bb7ae187c34bbdcf28f2ce8114b74948cfc519e93f74d5b2f6db6a08212b47240344f5e5ed193b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
d3532fa3341920c3a5b428ce11d15961

SHA1
ea6bf4f71331c01d59c2ae6c50a43f52d4f053bd

SHA256
51a9c7e5ee54d3af7ed068891688d9429afbcaafbfef753d314e539ed2546d4a

SHA512
3dac39932780b9bb811703ffbba768c526ced59ca9fa23fbb762f9204b6c9f26c11ad1d6f52286598aca701b6e3f33162fbaaa6cae704556a60316ce6d1eaf29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
dc43dab014461ba8b730cb81289d0139

SHA1
ab0f6f3c026cede19392a661cc6c382683297e37

SHA256
b57198504616dd36e71ad1496ce6139d3f6e46cde40a83f3321dcf43faebadd7

SHA512
f9bc9b4aec30ce6d4336f40f835530708132ff3b1254a5b9d7d5532c479a06a58489fcdea93a6d4ff06e6af8fdf59bf0f581c533b4cc0568e37bf59235dd993e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
87eec674841778ae1f9a9a9a0e3d325e

SHA1
8c4f69c3534b68877c7aaa9256423d96fdab4eb0

SHA256
f880e90fd5dc1597fc11fe769893efea33553ea50ad0e4561f91a8c1c57b4f82

SHA512
cb6c673515c446a4750e614aaa6521419d44097ef6eb99c5a795c2620b2bbc45eda508f47f5ae1280e39a09a87552debc77845e53cd31523047b44200c28256b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f9d98245b7704b6db79372510f862445

SHA1
34548a7121b92c47f2ba94e169b9fde84f187d07

SHA256
caca3c0871b5feef7ae7d887b92daa166c8b847135a57441ba13fb4c3bb8701c

SHA512
ac09a315593adacc68cb4e531c33ea42bfa77de6ed71ee37b089402bea627858dc92c06311925137bab743686cf4814bc27d295c937c5830ef40c4dc5b08936f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
0af7920878b30234eb1642e14b1c9a84

SHA1
d55b8de170cf293fc523d2ccc4f68fd2d26dca92

SHA256
9e14dd09f4467b0e79416dbf16de1e3dcd352d4a2447f5a7f3f1aa105aa9eaa5

SHA512
006b38fd84a13854593f3af6f5369f87a2cc6793bfe1fe2d84db6971377adfa8cc536cbaa8bcd863a45001d29f89f2bdd05198fd37f30d7ed4158384572bf1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2cfd0f7d2b3b8732d33615b902ca4ef8

SHA1
469d914c0ff86ef345a06525f2f3472e9ca2ca90

SHA256
c7267cfcb5a8108e9931b3b6dbc915955a1cef3e36b530e196fa6d914d27d5ad

SHA512
dd5ecac788d4754645d767564714e34d250eb5646ad812d539941fa1afe60d3b56f0ba1c2f36b459d5ee9a22947881e7c8a6e5159d6caee4d0fba7fda4d5e6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f85a5fdb843b291b9c05bb96bb4ee9d

SHA1
8c2d231ba12d37df8c2081aabcc7d0b17d0fc720

SHA256
ee4c88cd36afc7244fb25a854218147bdb7ebd5e5defe4984fd704339c5aa3b5

SHA512
0e2afb716d38ed4c9f6231fa95ea6f4dce72de7ff7f5088e9b17cad7421522d00fc89ed3126a3cd0acab9609d09d268c3be7c829a6522f198560058ca03a598e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
97707de59413b67d358ce6124f084981

SHA1
1aaefd14d10f3ee8db6a413583ec8b2810ca60f2

SHA256
cac3b4ae3dd9eda86fb42101a9273200d140c469597e8b98ec5720dc3c9d6fe2

SHA512
9d93441bd8b894fba3b6de00b0bfaa0434dc294d8ef06a1d3d73fc5a0e699602daf25b7c68c251e9827fdb3d69e4f416bc54be4469d9650450070d49cc07da2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f975c99adbf062d4f5200abb97fc2ce

SHA1
5c7837508700b634953959109b4f98c0c11c621d

SHA256
65c853aa4f96f16d8e62a10a13d9212c71bad718d17d8a45618102fe08993f2c

SHA512
c9b3dc274cc61ede4f167394563bf4e757862edde1706d267d0e70a7587c0e229486025085684ac1abdf3aff6ddec752a7b3504c0704eb763ed16b90317e7c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
39bfcf3cfbc436d4881e027bd2c0f59c

SHA1
4431c3ed87c8410f5008e0baebf09d6576316c9c

SHA256
9ee69650ea015f234db03f2f9929c78c9e4885a911ea219c6c46b1e20d5f658c

SHA512
c580a78dbbc172402ece17ed49bdab4ff3deabfa7120300d1a25a0dbfadb73a4352d0b4edcabaceaf0d5287f263f98fdad7de493dfd3dd7523a5c76f93607457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375671599143997

Filesize
461B

MD5
60cc0820eadb3a9bd6aaddb328237304

SHA1
b40d3080f80326c065c547d12f873f2f201fb8aa

SHA256
bd1267ef7e994ae3ccc5c5f3ae3383a5673cdf2be96771b12637271fca2a658c

SHA512
4fe8a54a38a67c013b6577680f9b1d273831c62ec8e42dd905ac6e793bed20806636c012960b7b96ca29e9cc282df27f61dca7ed6992e227c8da0396a0b6cdff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375671599330997

Filesize
717B

MD5
e3ebc9ed015fd8bc0846279c2d95bc60

SHA1
9785a10f7bb7569f6932a887e689d848f9a299d9

SHA256
1962f08d7a40f1bb0e813f88f2a01a7f23b34552c97fc3c10eb8f84f9580fb44

SHA512
6e5380a3e037884d8dbd4764cfa3e32b4fa71a7db68f7bc8ec8de29b145873fc2db27d3aa594669a0c5889b354bd629e5373f300df3c70a1d0b22bff80b6dc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
3ab2ded9706ce9cdde7b55fc0c7d1498

SHA1
cb547d9ed449b6c06ed2de53813df1fa035b320c

SHA256
d438a3077145e97e1e98d710cb74d96afe94b2770c434b60a9fcd0a24451d519

SHA512
0d72e7faeb0933fb24051a2aff668043fa4b8bea7c5d29c7ac4862246e31c9579573f5c137a58530dda38eba830e118c33ecfaec5f53ea95933fb213d0b87f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f042123e93b8f3b479df73f861fa5fe3

SHA1
711d2ea41e0638254e4068ab18ef1f6d8e782251

SHA256
7660adcaac2d009e9f14fd4928a46359bdcedc3217a48bec3195155823fe5ac4

SHA512
cf6249e6d9332472b7367711674d5c9898c12381d2bcd7407cc4be66bee79f7dfb92831b0d45d4a7abad79ed53f5403d4aaf3834ffb4b723f0c281cfe221bdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
57e879dda93533d4a7dad0a5a95238c6

SHA1
fbd8772d5d5850248417f52a35a4f0baee8fdc6a

SHA256
61515c6e54786fb6de6d4d0dfa5022c1b79231e4327e26e95af41ba70854cca1

SHA512
f1bc98edd140a7aa36b45b3e5cc2a55455dabf6d84330d3652f76d6956396f6ace2c547eff523bf34c2c65008518f5038ab7e4885319c0bc92ec83ba41211d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
12333ba63fc93e515fc1f3a97631f6c2

SHA1
3036ca3e8200a5b432325214a69327ac54ca93c4

SHA256
a84db03bf4126b852c3aeb05f23630c97158dfaa59f308f99b93dba7ed6dd07d

SHA512
1b1357e79ab2659e4ab9aecc050d02ff7eb10b7eb5e722382ab899135460da4137e0cc53990ae675f2bf3e2819c959cbc770f41dd829e00bcaa7c5b762df634d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
508fd62750250d4e159ab6fae75c084a

SHA1
7b50b204d1d9a93c28c29eba11cb64a14c77cb2b

SHA256
f942b3304241aacac9c3674b32c0c022cd5fa27957d8f5548fcfe900fd700b19

SHA512
82289e39db69312145bfbef3c63c53fa49566e6aa0507fcdbd269a026ce364880c314ceb7da31d2ae84b495b84749ca547a112b2eb803d5082e403c4433cef8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
98eec8765c8cbeef71e36e03df0837b4

SHA1
aca33d741af9784f8c2eeff7991c737d185b499f

SHA256
f5aa3d299e04ae30c3dddce0e76ad612b5e6f64859ff89d2099b9b5595998914

SHA512
0d2766f391c718be5928181f29de3ff8d86f54bf2e7f0a29eed6618c80a554d752675b003350608f105cc16ecd332d56910071c49b0d1c0b55fb020bc74a3d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
753a4726b3bc0fc442f1dbf11676b86b

SHA1
7ad5be9047e80a874f2fb0ba383eb390e1197b23

SHA256
2dd3c16e432a841a09bf2e6ee716bc3d56877b7faf75a63e0c9947db11efbf74

SHA512
a541bfd0e8700dd53166c650cfa05edf02c2e2f054dfbfcf36d74c2e8c0efd3abf0711e93f66dc8031a3a8e3facaa3701177b12ef61f10d49d33e4a627addf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
04c236c58dcd6b131851f621bd9633ca

SHA1
9043efb5bae8fcca88d046816d32b0c908eb3f79

SHA256
fb24a157dbcc77a8b9589fc17d9549f7dcb329696f30039d9333ac6a93675742

SHA512
13d7b7df2d0c86b37a153e89f0eab61c789429d96efa1898a610503abab61110e3e1b3944b36b9893c8835d6ea0ab13f061affbba162e905eb2ad9e0d712a9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
074f947f79be1746aa1d72ed8a28cd34

SHA1
ff6f60089882d2af91e6158b5b315b9cd4a1f862

SHA256
9e2b6c727d1a745b481d49a5e039934d191f539ff4c83dcac43a82a9933a68db

SHA512
3f731e139d50215b348619f361c336dba75780e8feaf5d9734dfcae47fc126bdd2325e8d58bdf4a802baf825c2f74c3ae1bd101ddae123ca7c64863843e34500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
030006fcab3b5716cd8935313122abc7

SHA1
eda5dd5bc1412ac8e3e623e5a947a91476ec312a

SHA256
ab853d45d585a27e689406d6cbad8bf885276173cfd51504fa55987f27e5319f

SHA512
8cccaef82b6b374b63da33c80e49846a045ca87eb1cd4e71e0279c46957d663f204c38abe145ff6682d16d13bd870873d9942243cb5ef6dfc4da2d3128abf41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
3aa77506c28437a47c7612681a7f7f02

SHA1
b33f88a0e7a2e062182b25a4bad05ae5804a665e

SHA256
a286fc309be38ec0e9238e4ec06d88fbd491aa86de92d511240a07e6c0133fc6

SHA512
f34c21574cdc02d627690290a942ee4ee837006dabf1300b6b5b2e44e9e2fe2fe2cb64f8cd9c43a5e1db5cbde78543aea70aba5524c989b6653bf8bf862d9738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64913dfe143c1590a0b51844a1b46edf

SHA1
0c0f3d36d0bf62eb601f01f7567aac63ea4d8b6a

SHA256
ebbaa9982b2bfa0b6cd1a51353c36f8b1a79f566d2ef9d3ae8a8c20ea6f59f81

SHA512
c45cafcbcaf78bce97cc23556d24849ebb87f9663f646e8ea2bfb9e459fefa69be24e1264839c6e636fd752adef373d499857b23164025bdbfccdcf8780141c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5ad57edab8848c1660e997935099e4c4

SHA1
d49f31836bb15e60ced44f26b9cf6192599d8c16

SHA256
412c5b8987a98c3a09a0f0dfbe1418ba7853161d94d47d0035dfcefbde1b632a

SHA512
e61e11da4e4ef616ba93e121651ea0ec6ff9621fdabfbbaa58fc080fc1ceadb056ec1859dfab74844eb2a75c0b6e47d49d8a5d6dd264718bc2692e54c5a2e606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b81a95122ac8eac0563b94fc05c99fdd

SHA1
e6b1c014fd6e40f212d6fe5b06f80dc688918b9a

SHA256
f6cda6cf25442bae85171d9c464547c6c6255e7228b2002b01fd6b9d56f37518

SHA512
fdf31a01083889498f2715ddc686b1d3fc688cf52ff9baef05fb54b125ee26fa40d8ed7a6ebc02c547c2cb22a3ed01560c83247a87061dc38b4537bef17aad06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6ae83763a803cacca988ace17e7556c

SHA1
abb40f6a7253c019a18d55f01d5a3497fef1b70d

SHA256
690ea5c4c56da05a1699e97c77bd0c4272ff154649be3f71ec6d3fbb834d05d4

SHA512
35958fe5a59204d79f451fd0d56ab66c7ffbc48a45a96cc176c70b46d6c7e0b8c5a3ab39a96c09d59c3e89009f498f65d6b3a46cc677a1c9b9813dc98d6710fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
0883108856685f5d483772ed4d84c777

SHA1
0c4a32cb64a4d9056d86d5f0aa6fac700403e819

SHA256
55712f76c9eed948e53fe46d2960101dabf9cd2edca0fd17c3c8de4fda92d410

SHA512
93e3703f3a7e9209c1e60b7795931a94dc76c3a87244c49e1d50f0df0f52bc0f9aebfe1239fbfd19b9836e418ca5face45dd7ed2d1e1b759099c6787a28400c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
9ff56dd5128ec08fbbef3dabf648a7af

SHA1
955f0b5ff63883e8dac1dd7e879b44e0529717d9

SHA256
259da1abfd84c7355d86ff0131c7e0e76e9f7e6b820f69a52118b6bc668307d2

SHA512
72c7a688d9b3e8ea7c67413c6f9cdc10b46c2227b201f82bc1ff0911b8d7eb875a2dfc166425299dd24dc95bd8ba75174219d577700c8fa250b97ef2ad4e0d8e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\675911d6-1bec-4c0b-bff4-a67eb77e1049.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\AlternateServices.bin

Filesize
8KB

MD5
42df039682855ba857d40180a7c97bf8

SHA1
5811f12e6b56e0ba17398d14f0c14716f3168eb9

SHA256
215845c1a35ab6259460d4b85fd0e489f943f45ceec2c5d513d278021279b550

SHA512
ca1d8d35b2322dd44c9dc83b6a0fdda29f7e91930ebbc5a86296613a1d4c66d61de5aca6fab916b2c88b638d5cd2fcbd9bcb35140aa91cff64b7eb512bd287af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
778a950580fdcbb7567c40c344978ebe

SHA1
cf82371949a4d3a69aa70bc65ea3ada2c5723fa4

SHA256
f6ccc73f5f52c2092309665925afa3f6c057daeab15068c67370664ba810223e

SHA512
fafacdba04a2835861a76f3f0a62a29f0f639bd00c2a4eb0bb479a8df351efd204e6e250192b275c77a3af9839de074864b08a68cc2ca30ffa9eb607041390cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
fcdf3f6d75be804278691add52ffd235

SHA1
a8b57e4b565ac8d28824e680b11bc4d225676be2

SHA256
14badbcd16b4ab450c469007c645d8569ef9dc3567ce0aedb4cd701b1465284b

SHA512
18e5c05dbdae8fd80b756d25c809b70a93260acea2b51a577b8590aa6a82ccb0e1f9d36208eabd84d2903666d226ec0ba350e30bc6cc74f4600994fbda4aa6ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
6161ae9b2a9ed8e82b9d2473ad082372

SHA1
b51217c3f3208f666c2d0f049fe55a8e844875ce

SHA256
6a41183dc9f2aa320ca415cf794ec24913d80389805b07e6a8cb3831f83ddddd

SHA512
3096e9baa0062e6d6a58cd732df95344142977c9717d16cfe11aded9f562d4e3735db335b8b53abe176875830040b76f75f39c0e31207e31739ed04d151bbfc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
0206629fe85ffdcf1c2ef8bc8e93f862

SHA1
cb161f6161f13aef580a24ac3ced6f3a1b86a36d

SHA256
a6ef7ea601ad40e89bffdfb0a4d2f328e17e27b5debb5594cf590d8c0fc48a40

SHA512
723bd1fc79166e3f848b6bfd09e002f05c5411169d897a385d85e9abef9d98fdadc124ea8a9415b226d80588d137d8ec5399a349c3b52dd04991720996c4c160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\7bf75386-b09a-4461-b9de-5bd86f34fe82

Filesize
659B

MD5
46c65acfdeb5e5f5e34c589a0761db39

SHA1
469df2ab1d311f4d26b339e6fc91d1b19ab6cf43

SHA256
ab27639e3f748d2cc749a07b2844e4310e7ecaf620bb4dee6c6e8fcd089f6153

SHA512
27673a63a2142e60be71b41e69a4979f324d468a3ebc90e582aa3a7b7bf833c6ee634398deda11c7f8785de131da21ea2f65a1da31f5574a02f07a44e042a537

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\f29bf608-b641-47c3-8768-0396ffe115be

Filesize
982B

MD5
e5a4f2e9889bccb530de72cdfb18caaf

SHA1
e45732eedbc6cdcfbff93a5882c3b2861adfe3e6

SHA256
073bea954e1c0dcadea3d425a6dfb0d791f9fef57eacc9988e7625254f4d086d

SHA512
c253f4edc9b66b14c94e01e9965eac7f8650a07f2ff9c665fb095222995bdf939a1eceab83c070ec1aa0e9a9e7aa6e1264f90ccee6ae8ed99ae4a26f1c426c02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs-1.js

Filesize
10KB

MD5
0b6ecec3309520af102b4050b6690be2

SHA1
2a997413aa51746df4ae14a8b722f1d93560ecac

SHA256
2f20a27f3a9bb64aa7a84239a6e38450f79e3a04fefe669fdfd41e960aaaa13c

SHA512
033ef80bfc236012e6da5fe32f61514f1d2d9cd2a2f87d6c1786010d3c8853da14377c589cc9558144409aac4a443b64c6a80c0e9ba7dcbea707c06383d86cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs-1.js

Filesize
11KB

MD5
fd1de5682853d83100488ea02d16c8c1

SHA1
f130c5a944c4825595f40ec0abb17bef8e577d0a

SHA256
e34af6d57d165481ba04a33a75620426535e2ccf2b0abe0eb86c1facd6932828

SHA512
2c231bdf2f78dc9ac2926d1c261a48cdf2c3787ce32476dab366644eab7a0c498d79b276f13f7ec55d42188b53949faf55ccea58994b6dbd68b155ad2670a2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js

Filesize
10KB

MD5
80626aebfc3b6d87c17833c970a42788

SHA1
4d5290a8b686b97b87c9a01788f711842ad27dd8

SHA256
28b80535a3f29066bac7e1845e866fe79abf8c14e55ae5c86c5034a84f51c7ae

SHA512
ae79543a9b2b5a04191c88bdafd805b37f1bf81a99d17039a5f9ec214c6a579a894741b4418310b354327e95d175ea30c5c8dc1b4b80648a9087961ec7e0e906

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\Downloads\Setup7.0.zip

Filesize
1.3MB

MD5
caf07843d0eec5fd5d9b131256361752

SHA1
1ce0acf5f2b521752440ce6d1c108a365a1dca50

SHA256
abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923

SHA512
b72e81797f4d3264b12675e2d35c56d76ec9110c3814776068d23a51c5de20ed3bd0dd414fb3f0564633b408dc040eaf8407c5e319df7014c9249e5fbaea2839

Download Submit
C:\Users\Admin\Downloads\Setup7.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe

Filesize
1.7MB

MD5
2c685fc5572fee6107d76c17fa873a45

SHA1
05436164ce59ab80e0bcae7aa779b2426866446e

SHA256
f585f729ebcdaf7a70e16690398cca0036d1dd4c398b4044004e7ab0ccc6bf56

SHA512
6bd9fbf04c75c0a6a07846233e5cb31f7f8373f3bd2fc62f70f27c34d37d640d80647ca980530ba99d77586a954c73899a257e1dc2e422279a0c46f69e2107e3

Download Submit
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe:a.dll

Filesize
1.4MB

MD5
d9a74092beacfbf63708895c03774dce

SHA1
44b28f038e8aabd1718b904ebc58a91b7f8be103

SHA256
6abbad8087891836e562bdf0420ce019471b649574caf68a938e300e9c546793

SHA512
4dec51a48b700ec4585bef9edd6d329dca1b562eae7e0609dd05462b4810f457e94fbefcd25e2853f27f36c4b8707676f34075cfe1ce2f00830d23a4a3a32f2e

Download Submit
memory/424-333-0x00007FF7228F0000-0x00007FF722AA5000-memory.dmp

Filesize
1.7MB

Download
memory/1248-82-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1248-78-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3860-334-0x00007FF7228F0000-0x00007FF722AA5000-memory.dmp

Filesize
1.7MB

Download
memory/4640-637-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-635-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-636-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-634-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-626-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-627-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-625-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-631-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-632-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4640-633-0x00000289634B0000-0x00000289634B1000-memory.dmp

Filesize
4KB

Download
memory/4672-81-0x00007FFCF4F80000-0x00007FFCF50E4000-memory.dmp

Filesize
1.4MB

Download
memory/4672-79-0x00007FF6F7F80000-0x00007FF6F8135000-memory.dmp

Filesize
1.7MB

Download