Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

05/12/2024, 20:18 UTC

241205-y3mm3szpcx 3

05/12/2024, 12:32 UTC

241205-pqsh5avkc1 3

05/12/2024, 12:24 UTC

241205-pk96zstrft 10

Analysis

  • max time kernel
    93s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2024, 12:24 UTC

General

  • Target

    registry.html

  • Size

    1KB

  • MD5

    689a1880d6c5c0af7d0e3e567fe3df23

  • SHA1

    0e6f59da774e68d9aa8e18ae06865c473a721900

  • SHA256

    3e2e9b64c2701ed6fdd503b5cd52dcda17909a3f9f5f0f6c6b42ef8c9ae23c95

  • SHA512

    2ea34967d9a2c2478734537731fda96017e97fef4fd8ede1ec025e4fef992ca99fb8c412b15569edd697d451f26c6bce589783e0393dfe9538c158a7f1207160

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

JonahOscendoskY-53420.portmap.host:53420

Mutex

f38ec230-fd60-44ab-91a9-17577e4487f9

Attributes
  • encryption_key

    E127FB40EABF3C6167749BEDDDBC64167ED27B67

  • install_name

    Registry.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Registry

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\registry.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff994ef46f8,0x7ff994ef4708,0x7ff994ef4718
      2⤵
        PID:1040
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        2⤵
          PID:3004
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
          2⤵
            PID:4012
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
            2⤵
              PID:840
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
              2⤵
                PID:552
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
                2⤵
                  PID:2168
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2312
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                  2⤵
                    PID:4632
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                    2⤵
                      PID:2112
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
                      2⤵
                        PID:556
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
                        2⤵
                          PID:4652
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                          2⤵
                            PID:2576
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:8
                            2⤵
                              PID:4924
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
                              2⤵
                                PID:4964
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                                2⤵
                                  PID:4632
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                  2⤵
                                    PID:3772
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5748 /prefetch:8
                                    2⤵
                                      PID:4980
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4992 /prefetch:8
                                      2⤵
                                        PID:2328
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2544
                                      • C:\Users\Admin\Downloads\registry.exe
                                        "C:\Users\Admin\Downloads\registry.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4980
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "Registry" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Registry.exe" /rl HIGHEST /f
                                          3⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4828
                                        • C:\Windows\system32\SubDir\Registry.exe
                                          "C:\Windows\system32\SubDir\Registry.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2224
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Registry" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Registry.exe" /rl HIGHEST /f
                                            4⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                      • C:\Users\Admin\Downloads\registry.exe
                                        "C:\Users\Admin\Downloads\registry.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4348
                                      • C:\Users\Admin\Downloads\registry.exe
                                        "C:\Users\Admin\Downloads\registry.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3112
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
                                        2⤵
                                          PID:700
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2880
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4768
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:428
                                            • C:\Users\Admin\Downloads\registry.exe
                                              "C:\Users\Admin\Downloads\registry.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1168

                                            Network

                                            • flag-us
                                              DNS
                                              8.8.8.8.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              8.8.8.8.in-addr.arpa
                                              IN PTR
                                              Response
                                              8.8.8.8.in-addr.arpa
                                              IN PTR
                                              dnsgoogle
                                            • flag-us
                                              DNS
                                              104.219.191.52.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              104.219.191.52.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              23.159.190.20.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              23.159.190.20.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              72.204.58.216.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              72.204.58.216.in-addr.arpa
                                              IN PTR
                                              Response
                                              72.204.58.216.in-addr.arpa
                                              IN PTR
                                              lhr25s13-in-f81e100net
                                              72.204.58.216.in-addr.arpa
                                              IN PTR
                                              lhr25s13-in-f72�G
                                              72.204.58.216.in-addr.arpa
                                              IN PTR
                                              lhr48s49-in-f8�G
                                            • flag-us
                                              DNS
                                              83.210.23.2.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              83.210.23.2.in-addr.arpa
                                              IN PTR
                                              Response
                                              83.210.23.2.in-addr.arpa
                                              IN PTR
                                              a2-23-210-83deploystaticakamaitechnologiescom
                                            • flag-us
                                              DNS
                                              95.221.229.192.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              95.221.229.192.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              217.106.137.52.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              217.106.137.52.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              14.200.250.142.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              14.200.250.142.in-addr.arpa
                                              IN PTR
                                              Response
                                              14.200.250.142.in-addr.arpa
                                              IN PTR
                                              lhr48s29-in-f141e100net
                                            • flag-us
                                              DNS
                                              200.163.202.172.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              200.163.202.172.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              tmpfiles.org
                                              msedge.exe
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              tmpfiles.org
                                              IN A
                                              Response
                                              tmpfiles.org
                                              IN A
                                              104.21.21.16
                                              tmpfiles.org
                                              IN A
                                              172.67.195.247
                                            • flag-us
                                              GET
                                              https://tmpfiles.org/dl/17112468/registry.exe
                                              msedge.exe
                                              Remote address:
                                              104.21.21.16:443
                                              Request
                                              GET /dl/17112468/registry.exe HTTP/2.0
                                              host: tmpfiles.org
                                              sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                              sec-ch-ua-mobile: ?0
                                              dnt: 1
                                              upgrade-insecure-requests: 1
                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                              accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                              sec-fetch-site: cross-site
                                              sec-fetch-mode: navigate
                                              sec-fetch-user: ?1
                                              sec-fetch-dest: document
                                              accept-encoding: gzip, deflate, br
                                              accept-language: en-US,en;q=0.9
                                              Response
                                              HTTP/2.0 200
                                              date: Thu, 05 Dec 2024 12:25:08 GMT
                                              content-type: application/x-dosexec
                                              content-length: 3266048
                                              content-disposition: inline; filename=registry.exe
                                              cache-control: no-cache, private
                                              cf-cache-status: BYPASS
                                              set-cookie: XSRF-TOKEN=eyJpdiI6IjNobXZPSlNyNnpoNVgwczQ0SWlkTnc9PSIsInZhbHVlIjoiWDhKUWFQOWF5dURFTDFpUUtUVUs1ZU9WaTVGWElaWGJ5TnV4TmxsZ1ZKTnp4bzdKV3BaMEViaUM2clpkMGZMczFYMmR1SHA2NVBqSWl5NS9Yd21OdUNjSlBvVjZWaUQ1WFc1S0Y2S1ZXdS96clJRajJWS1c4ZUQ2TG5VQVg5L1UiLCJtYWMiOiI2MDRhYzcxNDA1MTczNDU1OTA1MTZhZTkxNjE1NWU0NTk1ZTdkNDVkM2MyMmU1YjhmZTllMGNhYTVmNTBlY2Q3In0%3D; expires=Thu, 05-Dec-2024 14:25:08 GMT; Max-Age=7200; path=/; samesite=lax
                                              set-cookie: tmpfiles_session=eyJpdiI6IlFCN2lCTGQzdGE3YytmR3dVVmhYZ1E9PSIsInZhbHVlIjoidCtzZ05sMHBBR0hTK1NqR3R4cnJrdVhMaS9iZVRjeFFhZlZzVlczanVBVVVBRjB4S3MrZ3N3VWxaMUZHSUV2cUtUVnlLTUpHYUxjYXJsOGloSndhN0JGTTJiNkttdlpMVlA2ZytSNGZGcTBrOVBodlF5SUt6dmcvRW5ZbWJ4MVoiLCJtYWMiOiIzY2ZkN2VhNDI1OTExZmVhZmYxNTE1NGUwODc0ZjFkMTIwMzMxNzc1ODkxNzg0MmE2NWJjMGZiNTgwNGU0YjY3In0%3D; expires=Thu, 05-Dec-2024 14:25:08 GMT; Max-Age=7200; path=/; httponly; samesite=lax
                                              accept-ranges: bytes
                                              report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2WQQ7nSEsDVSMwQxNa6RvDFb0yGj6QmAhmNnwTzNV4aLmXZOcr39tusNcr%2FGVTH43gZNgN0MulyRX%2BheAUNo8fOAb9vB1%2FLM1snRqnGkpga2O9eYSgNIXFc7GJuOUw%3D"}],"group":"cf-nel","max_age":604800}
                                              nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              vary: Accept-Encoding
                                              server: cloudflare
                                              cf-ray: 8ed404615b63459f-LHR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=47438&min_rtt=47327&rtt_var=13417&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2850&recv_bytes=1182&delivery_rate=57345&cwnd=253&unsent_bytes=0&cid=7f3708d5c643a2ba&ts=157&x=0"
                                            • flag-us
                                              GET
                                              https://tmpfiles.org/dl/17112468/registry.exe
                                              msedge.exe
                                              Remote address:
                                              104.21.21.16:443
                                              Request
                                              GET /dl/17112468/registry.exe HTTP/2.0
                                              host: tmpfiles.org
                                              sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                              sec-ch-ua-mobile: ?0
                                              upgrade-insecure-requests: 1
                                              dnt: 1
                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                              accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                              sec-fetch-site: cross-site
                                              sec-fetch-mode: navigate
                                              sec-fetch-user: ?1
                                              sec-fetch-dest: document
                                              accept-encoding: gzip, deflate, br
                                              accept-language: en-US,en;q=0.9
                                              cookie: XSRF-TOKEN=eyJpdiI6IjNobXZPSlNyNnpoNVgwczQ0SWlkTnc9PSIsInZhbHVlIjoiWDhKUWFQOWF5dURFTDFpUUtUVUs1ZU9WaTVGWElaWGJ5TnV4TmxsZ1ZKTnp4bzdKV3BaMEViaUM2clpkMGZMczFYMmR1SHA2NVBqSWl5NS9Yd21OdUNjSlBvVjZWaUQ1WFc1S0Y2S1ZXdS96clJRajJWS1c4ZUQ2TG5VQVg5L1UiLCJtYWMiOiI2MDRhYzcxNDA1MTczNDU1OTA1MTZhZTkxNjE1NWU0NTk1ZTdkNDVkM2MyMmU1YjhmZTllMGNhYTVmNTBlY2Q3In0%3D
                                              cookie: tmpfiles_session=eyJpdiI6IlFCN2lCTGQzdGE3YytmR3dVVmhYZ1E9PSIsInZhbHVlIjoidCtzZ05sMHBBR0hTK1NqR3R4cnJrdVhMaS9iZVRjeFFhZlZzVlczanVBVVVBRjB4S3MrZ3N3VWxaMUZHSUV2cUtUVnlLTUpHYUxjYXJsOGloSndhN0JGTTJiNkttdlpMVlA2ZytSNGZGcTBrOVBodlF5SUt6dmcvRW5ZbWJ4MVoiLCJtYWMiOiIzY2ZkN2VhNDI1OTExZmVhZmYxNTE1NGUwODc0ZjFkMTIwMzMxNzc1ODkxNzg0MmE2NWJjMGZiNTgwNGU0YjY3In0%3D
                                              Response
                                              HTTP/2.0 200
                                              date: Thu, 05 Dec 2024 12:25:10 GMT
                                              content-type: application/x-dosexec
                                              content-length: 3266048
                                              content-disposition: inline; filename=registry.exe
                                              cache-control: no-cache, private
                                              cf-cache-status: BYPASS
                                              set-cookie: XSRF-TOKEN=eyJpdiI6Ii9NWWRYTmhaMXB0MFRXalZ3TWZ4eHc9PSIsInZhbHVlIjoiL2ZFYkpmeFpWYTRkbFJIU3FrWHFrcnNTSUhQM2xuWDUwZnI4L0RNdW5LOWlNL2VrbGpqck5CZkh3MmtOQ3lORHduYWhpbFRWMlpIcWkzdXc4Y0NDbTNWQmhUM0ZCT3BKWEZ6bUVScnVCTUtreHpyc2JuZ0tuY05UZno3QU1Ld3kiLCJtYWMiOiI4YjQ5NDkzMGVjNDQ4ZGIyN2Y3MzExYmJkN2E3NzU2ZDgzMTMzZGNmMGFhNjY2NGFiMjViMjRiODM4NWZlNzA0In0%3D; expires=Thu, 05-Dec-2024 14:25:10 GMT; Max-Age=7200; path=/; samesite=lax
                                              set-cookie: tmpfiles_session=eyJpdiI6IjJmNEo5aWpSK2NUd1JVdkhob0ZUY0E9PSIsInZhbHVlIjoiOTA1N0t4ZnRudFBPSjNaTWdBSUFXOUNsb1R0Mk9XYWtDdUZFMVpGcUhBdllNd21JWS95Zkc2T2crR2pPYW1ROXZkM1VKcVhpdFFhcWNBTTFzZ3lXRzgzTWM5cFZKMlFqYTZ0eXVOMXpoYUlHM3VIbUdLTUZ2NDlXenV0QWpkcUciLCJtYWMiOiJiODNiNjEyNWEwNTg4ZTNkMWQyNWFmYTI4YTI5OWI5ZGMwMGY4NjU4NDM5Yjk4N2MxOWM2YjVmMWM1ZWQ2YTUwIn0%3D; expires=Thu, 05-Dec-2024 14:25:10 GMT; Max-Age=7200; path=/; httponly; samesite=lax
                                              accept-ranges: bytes
                                              report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2K6mZYa%2BYBCs4%2FW%2FSxBTIjy2m5oCrOTNjyGJv8jqrmt0yEGDorZzULfhQ5tnqtmhGgjc4QpiBobjcdFYB4YtmAkp8z%2BKsL%2FJ80egvyfl9A3TGLB%2FYG%2BCIqiHkTitpRc%3D"}],"group":"cf-nel","max_age":604800}
                                              nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              vary: Accept-Encoding
                                              server: cloudflare
                                              cf-ray: 8ed4047189b1459f-LHR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=59775&min_rtt=46822&rtt_var=110&sent=2671&recv=1836&lost=0&retrans=219&sent_bytes=3576102&recv_bytes=1820&delivery_rate=1151673&cwnd=1453&unsent_bytes=0&cid=7f3708d5c643a2ba&ts=2747&x=0"
                                            • flag-us
                                              DNS
                                              206.23.85.13.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              206.23.85.13.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              16.21.21.104.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              16.21.21.104.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              172.214.232.199.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              172.214.232.199.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              JonahOscendoskY-53420.portmap.host
                                              Registry.exe
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              JonahOscendoskY-53420.portmap.host
                                              IN A
                                              Response
                                              JonahOscendoskY-53420.portmap.host
                                              IN A
                                              193.161.193.99
                                            • flag-us
                                              DNS
                                              ipwho.is
                                              Registry.exe
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              ipwho.is
                                              IN A
                                              Response
                                              ipwho.is
                                              IN A
                                              195.201.57.90
                                            • flag-de
                                              GET
                                              https://ipwho.is/
                                              Registry.exe
                                              Remote address:
                                              195.201.57.90:443
                                              Request
                                              GET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                              Host: ipwho.is
                                              Connection: Keep-Alive
                                              Response
                                              HTTP/1.1 200 OK
                                              Date: Thu, 05 Dec 2024 12:25:19 GMT
                                              Content-Type: application/json; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Server: ipwhois
                                              Access-Control-Allow-Headers: *
                                              X-Robots-Tag: noindex
                                            • flag-us
                                              DNS
                                              99.193.161.193.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              99.193.161.193.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              240.221.184.93.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              240.221.184.93.in-addr.arpa
                                              IN PTR
                                              Response
                                            • flag-us
                                              DNS
                                              90.57.201.195.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              90.57.201.195.in-addr.arpa
                                              IN PTR
                                              Response
                                              90.57.201.195.in-addr.arpa
                                              IN PTR
                                              static9057201195clients your-serverde
                                            • flag-us
                                              DNS
                                              22.236.111.52.in-addr.arpa
                                              Remote address:
                                              8.8.8.8:53
                                              Request
                                              22.236.111.52.in-addr.arpa
                                              IN PTR
                                              Response
                                            • 216.58.204.74:445
                                              fonts.googleapis.com
                                              260 B
                                              5
                                            • 216.58.204.74:139
                                              fonts.googleapis.com
                                              260 B
                                              5
                                            • 104.21.21.16:443
                                              https://tmpfiles.org/dl/17112468/registry.exe
                                              tls, http2
                                              msedge.exe
                                              226.6kB
                                              6.8MB
                                              3742
                                              4893

                                              HTTP Request

                                              GET https://tmpfiles.org/dl/17112468/registry.exe

                                              HTTP Response

                                              200

                                              HTTP Request

                                              GET https://tmpfiles.org/dl/17112468/registry.exe

                                              HTTP Response

                                              200
                                            • 104.21.21.16:443
                                              tmpfiles.org
                                              tls
                                              msedge.exe
                                              897 B
                                              2.5kB
                                              7
                                              5
                                            • 193.161.193.99:53420
                                              JonahOscendoskY-53420.portmap.host
                                              tls
                                              Registry.exe
                                              139.9kB
                                              11.5kB
                                              215
                                              166
                                            • 195.201.57.90:443
                                              https://ipwho.is/
                                              tls, http
                                              Registry.exe
                                              877 B
                                              6.3kB
                                              9
                                              10

                                              HTTP Request

                                              GET https://ipwho.is/

                                              HTTP Response

                                              200
                                            • 8.8.8.8:53
                                              8.8.8.8.in-addr.arpa
                                              dns
                                              66 B
                                              90 B
                                              1
                                              1

                                              DNS Request

                                              8.8.8.8.in-addr.arpa

                                            • 8.8.8.8:53
                                              104.219.191.52.in-addr.arpa
                                              dns
                                              73 B
                                              147 B
                                              1
                                              1

                                              DNS Request

                                              104.219.191.52.in-addr.arpa

                                            • 8.8.8.8:53
                                              23.159.190.20.in-addr.arpa
                                              dns
                                              72 B
                                              158 B
                                              1
                                              1

                                              DNS Request

                                              23.159.190.20.in-addr.arpa

                                            • 8.8.8.8:53
                                              72.204.58.216.in-addr.arpa
                                              dns
                                              72 B
                                              169 B
                                              1
                                              1

                                              DNS Request

                                              72.204.58.216.in-addr.arpa

                                            • 8.8.8.8:53
                                              83.210.23.2.in-addr.arpa
                                              dns
                                              70 B
                                              133 B
                                              1
                                              1

                                              DNS Request

                                              83.210.23.2.in-addr.arpa

                                            • 8.8.8.8:53
                                              95.221.229.192.in-addr.arpa
                                              dns
                                              73 B
                                              144 B
                                              1
                                              1

                                              DNS Request

                                              95.221.229.192.in-addr.arpa

                                            • 224.0.0.251:5353
                                              msedge.exe
                                              394 B
                                              6
                                            • 8.8.8.8:53
                                              217.106.137.52.in-addr.arpa
                                              dns
                                              73 B
                                              147 B
                                              1
                                              1

                                              DNS Request

                                              217.106.137.52.in-addr.arpa

                                            • 8.8.8.8:53
                                              14.200.250.142.in-addr.arpa
                                              dns
                                              73 B
                                              112 B
                                              1
                                              1

                                              DNS Request

                                              14.200.250.142.in-addr.arpa

                                            • 8.8.8.8:53
                                              200.163.202.172.in-addr.arpa
                                              dns
                                              74 B
                                              160 B
                                              1
                                              1

                                              DNS Request

                                              200.163.202.172.in-addr.arpa

                                            • 8.8.8.8:53
                                              tmpfiles.org
                                              dns
                                              msedge.exe
                                              58 B
                                              90 B
                                              1
                                              1

                                              DNS Request

                                              tmpfiles.org

                                              DNS Response

                                              104.21.21.16
                                              172.67.195.247

                                            • 8.8.8.8:53
                                              206.23.85.13.in-addr.arpa
                                              dns
                                              71 B
                                              145 B
                                              1
                                              1

                                              DNS Request

                                              206.23.85.13.in-addr.arpa

                                            • 8.8.8.8:53
                                              16.21.21.104.in-addr.arpa
                                              dns
                                              71 B
                                              133 B
                                              1
                                              1

                                              DNS Request

                                              16.21.21.104.in-addr.arpa

                                            • 8.8.8.8:53
                                              172.214.232.199.in-addr.arpa
                                              dns
                                              74 B
                                              128 B
                                              1
                                              1

                                              DNS Request

                                              172.214.232.199.in-addr.arpa

                                            • 8.8.8.8:53
                                              JonahOscendoskY-53420.portmap.host
                                              dns
                                              Registry.exe
                                              80 B
                                              96 B
                                              1
                                              1

                                              DNS Request

                                              JonahOscendoskY-53420.portmap.host

                                              DNS Response

                                              193.161.193.99

                                            • 8.8.8.8:53
                                              ipwho.is
                                              dns
                                              Registry.exe
                                              54 B
                                              70 B
                                              1
                                              1

                                              DNS Request

                                              ipwho.is

                                              DNS Response

                                              195.201.57.90

                                            • 8.8.8.8:53
                                              99.193.161.193.in-addr.arpa
                                              dns
                                              73 B
                                              131 B
                                              1
                                              1

                                              DNS Request

                                              99.193.161.193.in-addr.arpa

                                            • 8.8.8.8:53
                                              240.221.184.93.in-addr.arpa
                                              dns
                                              73 B
                                              144 B
                                              1
                                              1

                                              DNS Request

                                              240.221.184.93.in-addr.arpa

                                            • 8.8.8.8:53
                                              90.57.201.195.in-addr.arpa
                                              dns
                                              72 B
                                              129 B
                                              1
                                              1

                                              DNS Request

                                              90.57.201.195.in-addr.arpa

                                            • 8.8.8.8:53
                                              22.236.111.52.in-addr.arpa
                                              dns
                                              72 B
                                              158 B
                                              1
                                              1

                                              DNS Request

                                              22.236.111.52.in-addr.arpa

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              dc058ebc0f8181946a312f0be99ed79c

                                              SHA1

                                              0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                              SHA256

                                              378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                              SHA512

                                              36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              a0486d6f8406d852dd805b66ff467692

                                              SHA1

                                              77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                              SHA256

                                              c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                              SHA512

                                              065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              676B

                                              MD5

                                              9b3f8ce20fa4f670580b7511e740e6ec

                                              SHA1

                                              6ae1dd82b521fe4229b1ca4b96b55f651c486dca

                                              SHA256

                                              4ef1b834c948f1deabe92a7e3a1522af35f95c12db3cd863c95981170c5cdd68

                                              SHA512

                                              8f97f1ea5df089016e6b899121cb1a6837b1176c9c0ce6c2cb2547f9f8f030c0ec59b79ece5d91500d2b1db364379ada6002e67db966af10f08e29e5fcae5fa3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              07263c3c661fc80458c16ef765253072

                                              SHA1

                                              45f9d8f93fb704a21a097150506d071a01a95336

                                              SHA256

                                              74c9e5bec7e2804c4506624e2eda137a6f077670e805d6b803c929493af49ffb

                                              SHA512

                                              b6401c5e4dd0bf338a15273053d7f478bdc325a0585ccae1b440cdc0736ad5d05f84fe35822a75b3cb97a27bedc14bcba390b3adafaecd98c8513f68eabd0bc3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              7ee203ad2653e91ceef68c66427d671c

                                              SHA1

                                              5c68daf22b0934a66f10f511699d177600589035

                                              SHA256

                                              c3734c9f75bce269ea9c9e194a49ffa20a7b4c2e280e4bc97870972fc03a50cf

                                              SHA512

                                              4dbf87cc417cdadfeefa159da74148ef606e9b750cf31485b6e62e94a32a2d89b38a56e751d87c6d997ec3f4559b6ed4fd5987aff6969ec48b2e162ce385169d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              7caacc23f1fdb034d1ec8c33b77dd735

                                              SHA1

                                              561bc74d9f9ad11781b099a2424e9578f879260c

                                              SHA256

                                              39dfe465613db3f643aeb15455d69d02a097e9d46b5d22ffddb83dc611483670

                                              SHA512

                                              b5b89c0799d38f805c5024865baeb882748670548d6d20c474216094ceee37a20aa7711a4eb593529816dff948cc207c2219c632a5c99be2a102659683848946

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              6e0ecf9ae5a921b6a595fa384d246a00

                                              SHA1

                                              a6e5a7c0ed90e64a19fd851fedcfb6e809ff3616

                                              SHA256

                                              478b6aa35a9de8bfd8cd5185a874d02b48f8600d6a0295d6a154e253a3175693

                                              SHA512

                                              8e29850ebf2b43e5ffc78e8f32fa103e8c87f4837a5015aedc49ab602e42061e4df78051877e9e6a2284789c1d3110787d5f606373b90b1aa19243fb09b982c5

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              1ef19a7113d915f8c9950a01333de129

                                              SHA1

                                              59ebc7607ad64146ae156d7c1faac1f76e526dad

                                              SHA256

                                              bf7d5109cec17dc117be818d9eab30ad5d793cd72992a7ab93494f77b04ef100

                                              SHA512

                                              2994af21c4cffedbec3bec85742b332854cdb7bd973e3f6f99557dc4f128e30621695d47e21908bdf2822a29283d71a13050dbaaab8bc5e0c8af674905076a13

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              370B

                                              MD5

                                              733bd87f7b277eae07216612a10eb531

                                              SHA1

                                              2abdef3f44d693e1a22dd1fd9e72d77b058632aa

                                              SHA256

                                              16d3765a9c028f6a78fc7a11016ade94893aa58cc82dc7250a34bae2b7a75aac

                                              SHA512

                                              94ce86ac7af8f1ecdff61d465f1ffe77664e7a41874b65f8c6966de9734056e6bbdcc4a672b25c8a76cdeb71005e2bf6563c0e793d24c7f371725f257781ebf5

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583294.TMP

                                              Filesize

                                              203B

                                              MD5

                                              f94f8c1d94f106868a2d9b8d8f932cd4

                                              SHA1

                                              caa6cfab1f64042e7a43bea30fde5c4b1771fbdd

                                              SHA256

                                              db71cee11bdc3c65fb90ca31536f31db22c7d17da1815e15ee2d1948e100fde5

                                              SHA512

                                              aa17fce3045cb4732662da82d8e1e48f31bb4e03ab0fd67ab72855e66d3e01c403179dd18f6b4d80f1a2213e9468e91c07bb77489f1edd553dec0dfc2dfaa428

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              10KB

                                              MD5

                                              77e59b2f498ea6ff5053e2f51d6a7ddb

                                              SHA1

                                              8092341c1769af6d9c824a0e5679539ce0c84521

                                              SHA256

                                              36332dacab5e45866021690c3ce9c257610618e65836ccf0b4a97e3e91e16a3e

                                              SHA512

                                              ba487ef1786e6cedd93c4001d9a15297518ee564f2f4324df032094970c8b54467f2b31da1a5f03e1ba80fdf356ea92def9b72e31ad86a84f5e95be200dad051

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              10KB

                                              MD5

                                              bc94a4d0628b5d36aa7bf0e8637e1f56

                                              SHA1

                                              5d45c820eba875bbb7994431b6fd82a433f2eb4c

                                              SHA256

                                              76459f0fd29c3973e7273da054b46e6c5a2cd1b92072f6258f13cbf62c371f1e

                                              SHA512

                                              4578920b4e5903c56fa8b41fe137770913da9956f4a8508183599ca154f28fa9df9d9083f8065086b00478b20f33937656a14ef0ee282b76495a682274d77688

                                            • C:\Users\Admin\Downloads\Unconfirmed 347977.crdownload

                                              Filesize

                                              3.1MB

                                              MD5

                                              856af8902c2dafc7a5bc1756300b7e6b

                                              SHA1

                                              234f69af2257f17e7961656413794bb2968af432

                                              SHA256

                                              d888126c2f1e9639469e7038e4ab840a52c7bcdcedbceac7a55e14e391d01cbd

                                              SHA512

                                              24fbbad0b282cfb5e5555683319e681ecc723ebd61066ccf02f055abf898b5fab68cfcf26891884faca1d54e706f845b8d561dc368bae2163ac8cabcfaea2490

                                            • memory/2224-156-0x000000001BC20000-0x000000001BC70000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/2224-157-0x000000001BD30000-0x000000001BDE2000-memory.dmp

                                              Filesize

                                              712KB

                                            • memory/2224-160-0x000000001BC70000-0x000000001BC82000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2224-161-0x000000001BCD0000-0x000000001BD0C000-memory.dmp

                                              Filesize

                                              240KB

                                            • memory/4980-146-0x00000000001C0000-0x00000000004E4000-memory.dmp

                                              Filesize

                                              3.1MB

                                            We care about your privacy.

                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.