f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe

Analysis

max time kernel
175s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe
Size

841KB
MD5

5c78b4f550ac1b5504dfd857037ba6d7
SHA1

375f3695f0bcd91557e4ea05671e23c9b69f4b6b
SHA256

f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe
SHA512

34fa948efafb586a112442c65296ee0ab30f6ba47146099ad9ea369c91e6cd8c2597404024b3227482e756075b62673ce4ffac5ce423dc093bf33e0b69c0d077
SSDEEP

12288:AM/ke/cSJpYLKa4pN5wFd/dg/QqyykJ/QO2welV8zT0Iw5puy8:AMce/uOf+z/6/QqyyTmOVhl2F

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4832	SantetPiso.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe

Loads dropped DLL 2 IoCs

pid	Process
4832	SantetPiso.exe
4832	SantetPiso.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\92d6868e-c666-4916-9b31-913c60168a37.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221206163051.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx005E62E72A\\GIFviewer.ocx, 30000"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx005E62E72A\\GIFviewer.ocx"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx005E62E72A\\GIFviewer.ocx"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx005E62E72A"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF"	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32	SantetPiso.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	SantetPiso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0"	SantetPiso.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
3552	msedge.exe
3552	msedge.exe
3828	msedge.exe
3828	msedge.exe
5052	msedge.exe
5052	msedge.exe
1304	identity_helper.exe
1304	identity_helper.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4832	SantetPiso.exe
4832	SantetPiso.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4832	2124	f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe	79
PID 2124 wrote to memory of 4832	2124	f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe	79
PID 2124 wrote to memory of 4832	2124	f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe	79
PID 4832 wrote to memory of 5088	4832	SantetPiso.exe	81
PID 4832 wrote to memory of 5088	4832	SantetPiso.exe	81
PID 4832 wrote to memory of 5052	4832	SantetPiso.exe	82
PID 4832 wrote to memory of 5052	4832	SantetPiso.exe	82
PID 4832 wrote to memory of 4244	4832	SantetPiso.exe	83
PID 4832 wrote to memory of 4244	4832	SantetPiso.exe	83
PID 5052 wrote to memory of 964	5052	msedge.exe	86
PID 5052 wrote to memory of 964	5052	msedge.exe	86
PID 4244 wrote to memory of 1472	4244	msedge.exe	85
PID 4244 wrote to memory of 1472	4244	msedge.exe	85
PID 5088 wrote to memory of 2016	5088	msedge.exe	84
PID 5088 wrote to memory of 2016	5088	msedge.exe	84
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 5052 wrote to memory of 456	5052	msedge.exe	89
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90
PID 4244 wrote to memory of 4884	4244	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe
"C:\Users\Admin\AppData\Local\Temp\f0ac4c67d32c551080db03856366b33f2830ede373fc3f8d093028432c3e7efe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\SantetPiso.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\SantetPiso.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tambores-hacker.blogspot.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffa7b4446f8,0x7ffa7b444708,0x7ffa7b444718
      4⤵
      PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1958634747131079876,2984665045071063337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1958634747131079876,2984665045071063337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://sukamajuciters.blogspot.com/
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa7b4446f8,0x7ffa7b444708,0x7ffa7b444718
      4⤵
      PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:1604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
      4⤵
      PID:1540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
      4⤵
      PID:2932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6836 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
      4⤵
      PID:4600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
      4⤵
      PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1e4,0x22c,0x7ff7b94d5460,0x7ff7b94d5470,0x7ff7b94d5480
        5⤵
        
        PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7536 /prefetch:8
      4⤵
      PID:116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17853935916539887506,6421682956495152223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://luwuutarasukamaju.blogspot.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7b4446f8,0x7ffa7b444708,0x7ffa7b444718
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,8165307937646775577,14618012978893796770,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,8165307937646775577,14618012978893796770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
e24fa878166bc46852389f90209079d8

SHA1
2a499789da5aca7931f3200bd1ee711ea1397b0a

SHA256
02cbfe3757bd0284841fc419b3da25ce2ae58690691523a9ed00a398f2f621a7

SHA512
b99bfda6be8280a11fe64769666656d81fb2b96b1a08b32f3a1f5931e1467d45eb7261d7870c8dc802a5643638e31316d41927ed6bdea2ad6f07d58af5c56d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
e24fa878166bc46852389f90209079d8

SHA1
2a499789da5aca7931f3200bd1ee711ea1397b0a

SHA256
02cbfe3757bd0284841fc419b3da25ce2ae58690691523a9ed00a398f2f621a7

SHA512
b99bfda6be8280a11fe64769666656d81fb2b96b1a08b32f3a1f5931e1467d45eb7261d7870c8dc802a5643638e31316d41927ed6bdea2ad6f07d58af5c56d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
0873d02df7ada5cb27d05c70bb49c96c

SHA1
1a63a022b363cf02d99cc376de73369a76ce27e9

SHA256
3b71538fad7a2991df006e91d5a331698e99f450d5f8a5e021612fe3715169c1

SHA512
e11f9118d4e12c97e1c06e28e413a045d280ba98d81134fc751eda013bd331d7ce661c15545ac0058bd5e2f8b0a9c4288f700f6d01935747997f802d7185d02f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
0873d02df7ada5cb27d05c70bb49c96c

SHA1
1a63a022b363cf02d99cc376de73369a76ce27e9

SHA256
3b71538fad7a2991df006e91d5a331698e99f450d5f8a5e021612fe3715169c1

SHA512
e11f9118d4e12c97e1c06e28e413a045d280ba98d81134fc751eda013bd331d7ce661c15545ac0058bd5e2f8b0a9c4288f700f6d01935747997f802d7185d02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
56cb79454a6d46c8569a5da84b4d0ef7

SHA1
ff8730365776881719f9b0b556515bcd92c5108b

SHA256
832e0eed619dbcf2c4119723c61974275bc8856d87427be55696b3129d64605f

SHA512
f1a68102cb89cd97b43f47467f3b501cd19196b2dd3ec6c396c57a40c1b09f829a4f941f641ec980756b270fc071f89aa7a30e1a598e00104e9f917b47178a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
56cb79454a6d46c8569a5da84b4d0ef7

SHA1
ff8730365776881719f9b0b556515bcd92c5108b

SHA256
832e0eed619dbcf2c4119723c61974275bc8856d87427be55696b3129d64605f

SHA512
f1a68102cb89cd97b43f47467f3b501cd19196b2dd3ec6c396c57a40c1b09f829a4f941f641ec980756b270fc071f89aa7a30e1a598e00104e9f917b47178a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
56cb79454a6d46c8569a5da84b4d0ef7

SHA1
ff8730365776881719f9b0b556515bcd92c5108b

SHA256
832e0eed619dbcf2c4119723c61974275bc8856d87427be55696b3129d64605f

SHA512
f1a68102cb89cd97b43f47467f3b501cd19196b2dd3ec6c396c57a40c1b09f829a4f941f641ec980756b270fc071f89aa7a30e1a598e00104e9f917b47178a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
56cb79454a6d46c8569a5da84b4d0ef7

SHA1
ff8730365776881719f9b0b556515bcd92c5108b

SHA256
832e0eed619dbcf2c4119723c61974275bc8856d87427be55696b3129d64605f

SHA512
f1a68102cb89cd97b43f47467f3b501cd19196b2dd3ec6c396c57a40c1b09f829a4f941f641ec980756b270fc071f89aa7a30e1a598e00104e9f917b47178a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\SantetPiso.exe

Filesize
440KB

MD5
3c8defe0058cc45ddc917f468706fea6

SHA1
c75659c745cf3df22558342532d82fd1eb6b4376

SHA256
9f9398bcfb21a4896d045cdcc850f38d2c729cca90bc0e1a3abb02efb4321b1a

SHA512
eab303546687aaa64ddde080c07b2883a2fb68e9713d2e7504296b33a89944a27dccd24d405812bd8e058c66d37d437b15905b2d70f5595a3c0e2a02a5f361fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx005E62E72A\SantetPiso.exe

Filesize
440KB

MD5
3c8defe0058cc45ddc917f468706fea6

SHA1
c75659c745cf3df22558342532d82fd1eb6b4376

SHA256
9f9398bcfb21a4896d045cdcc850f38d2c729cca90bc0e1a3abb02efb4321b1a

SHA512
eab303546687aaa64ddde080c07b2883a2fb68e9713d2e7504296b33a89944a27dccd24d405812bd8e058c66d37d437b15905b2d70f5595a3c0e2a02a5f361fd

Download Submit