povertystealer | hxxp://www[.]mediafire[.]com/file/qzqx86taavvynwl/sansayrex[.]rar/file

Analysis

max time kernel
81s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mediafire.com/file/qzqx86taavvynwl/sansayrex.rar/file

Score

10^/10

povertystealer discovery stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2148-346-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2148-351-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2148-352-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2148-354-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2148-357-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Executes dropped EXE 7 IoCs

pid	Process
3372	sansayrex.exe
2544	7z.exe
1756	7z.exe
2092	7z.exe
3380	7z.exe
3708	7z.exe
1176	svchosts64.exe

Loads dropped DLL 5 IoCs

pid	Process
2544	7z.exe
1756	7z.exe
2092	7z.exe
3380	7z.exe
3708	7z.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2148	1176	svchosts64.exe	124

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings	Taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\sansayrex.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
3376	msedge.exe
3376	msedge.exe
3896	msedge.exe
3896	msedge.exe
4796	msedge.exe
4796	msedge.exe
3972	identity_helper.exe
3972	identity_helper.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3608	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1396	7zG.exe
Token: 35	1396	7zG.exe
Token: SeSecurityPrivilege	1396	7zG.exe
Token: SeSecurityPrivilege	1396	7zG.exe
Token: SeRestorePrivilege	2544	7z.exe
Token: 35	2544	7z.exe
Token: SeSecurityPrivilege	2544	7z.exe
Token: SeSecurityPrivilege	2544	7z.exe
Token: SeRestorePrivilege	1756	7z.exe
Token: 35	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe
Token: SeRestorePrivilege	2092	7z.exe
Token: 35	2092	7z.exe
Token: SeSecurityPrivilege	2092	7z.exe
Token: SeSecurityPrivilege	2092	7z.exe
Token: SeRestorePrivilege	3380	7z.exe
Token: 35	3380	7z.exe
Token: SeSecurityPrivilege	3380	7z.exe
Token: SeSecurityPrivilege	3380	7z.exe
Token: SeRestorePrivilege	3708	7z.exe
Token: 35	3708	7z.exe
Token: SeSecurityPrivilege	3708	7z.exe
Token: SeSecurityPrivilege	3708	7z.exe
Token: SeDebugPrivilege	3508	Taskmgr.exe
Token: SeSystemProfilePrivilege	3508	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3508	Taskmgr.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
1396	7zG.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe
3508	Taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3608	mmc.exe
3608	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3484	3376	msedge.exe	81
PID 3376 wrote to memory of 3484	3376	msedge.exe	81
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 460	3376	msedge.exe	82
PID 3376 wrote to memory of 1540	3376	msedge.exe	83
PID 3376 wrote to memory of 1540	3376	msedge.exe	83
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84
PID 3376 wrote to memory of 2796	3376	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4764	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.mediafire.com/file/qzqx86taavvynwl/sansayrex.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff875a63cb8,0x7ff875a63cc8,0x7ff875a63cd8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,8471222830083686966,12316584019420175736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\sansayrex\" -spe -an -ai#7zMap15155:80:7zEvent16819
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1396

C:\Users\Admin\Downloads\sansayrex\sansayrex.exe
"C:\Users\Admin\Downloads\sansayrex\sansayrex.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  PID:1348
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\sansayrex\Languages\eng.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:380

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskschd/
1⤵
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff875a63cb8,0x7ff875a63cc8,0x7ff875a63cd8
  2⤵
  PID:32

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\taskschd.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0517a9ec1a0298a87dac0ad50c998d79

SHA1
c01cab2a1ffb6180134315d827709b46d07018ea

SHA256
084f62f24d15ce30e231b1690497a004070932b3618e06d6b26079a489f689a5

SHA512
d9be6c0e55a74137b1e6dc882b0e665cb6c18fe80ff585cccff0bd4fc32923b155b62000492613c861b3f0cbfa8996dac7ca12d66fcf06d1b1d0e57294dee84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
236fd72d944b494ed36178d8c80baa40

SHA1
affaef8eea7ac675dfccc68528f9cc828906d209

SHA256
c84f8f8ff1471655a154db4ba294d245cdcee376bd482f7b433b42f28d4f0184

SHA512
6db4bcd8f81de26f8d5a350019f45be7fe00c3531efbc2cf8e96c696b4e75acc81514fbe10c02410895fa318ec1d2c0bfec429da97451d32d9b0a8c340b2894b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
4d9a4f2b8925f6e2866eb2bd7c210183

SHA1
c9ffdef287dab4805c8963666ebf21a9ca2c8a86

SHA256
2e5c4a9740820705e08e878f6e31cd56ef6e2b9db6825df36cb2fbcd79caf387

SHA512
e70bd399a4553e9e6e11655628c3f3fcd877529d4735b9c1c65b3e593760aa032bc1fcfcece5281983a94c8931dcd6f79b59fa6a9f78b6815a36ca41156c3084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
e4b0f9fbc4637f71010cbc29e9b8ca36

SHA1
3118051149f194a6fe834b46740b4f2c89924e48

SHA256
de8f7010f63d80a20e7bd34500ca67594c148bac3d8790e735d7d0b8d503191d

SHA512
f41033cf1a30390047c59abaf19596618a0911e5db4fd09efe0ced4d14ef8d581c0ae521c061fd24512660bf392335282165ef3813f876cac2876f2d24984d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
8ef4982a0191369c478193aa78ac4117

SHA1
cf9232d08b4990eb37d4d17f4f30c33d9c7ea792

SHA256
7a4367326e72b31483cf93afb8aaa66ab8da6443de16bd45be2d821cfaa89d38

SHA512
9c429638123e1332e109ced33a4e154582d985f7922cdac67f14724cc02850f0e43fbbc6ece09806ba393949f75a6e4ad5d77c1581ce945392d3c16a4a472aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8c74abda414448c79e1b51d4e6dfb3ad

SHA1
a4520a60b0d1cdc71f0fcd59188aa808f5612103

SHA256
621451279802ec1cd8d80974bd72ff6ac59c69ab24830a90249d0ed0807a8297

SHA512
17416a8e9bb8ade0bfbdc969d3fba54863de4a5bd57ac15d1d31f67fa3c9266391a86e7f29809154b658509f6a54b2ae8ef1d78742a6f408c87fbfec5b81ea0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
782010ed8c7501195a360cb0baac46ac

SHA1
7692a066cdf6e7947b104093a2b48d159ab5840c

SHA256
72ba9009a666112892e0c621ec927b93be4152119ec87fc2372fe9f7de8c9850

SHA512
f0c966dbcd4dad87e8d1fda522d1241f797078c9d9668a583801d9289bd896421f392fbc1867e0dcd58ba0d8c65398bd0c268a0fed746ab12b28157bdef44243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e9dbda280a3ead91b1d8c0731c188e1

SHA1
017d4d7c148503526f8a531740087d3bd58fc776

SHA256
f53f7ab0a21d8036aef3bf3ddd59460b0a2d9d09b8367402f24bdce2eee814de

SHA512
84e2956502b3c7c24e69c06225a8cadaee7cc40051d5561423782b8d8b6455e7c1c3e3c0a5ec664c0398b5f3e26b5ab9f12c4f795e34b7a00948a537881f2450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df6897647db2d8d6d608ff34e8610884

SHA1
93535ed88b4417f4b9b724939f9749ecd11769a5

SHA256
c38332e634854ab89a39a081927c49927fdf79c7a1fd1ceefa622e21b19a2c95

SHA512
377a724f169641612e7d6511598682a602d1ddfdfd383c183a9a5ad803743b7f511aa85f256af29f9b2244f4c08b3f39e08f49606619c7808b0f10cdd9f2ea70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7df2c00df5f8b7c406ae21b9dab6b651

SHA1
0f5ff3ecfb8dbd9e4dcc81561c97503d1dee01bb

SHA256
1e283cc47ab89da3b0757bbaec46ed369a7a0b03590e8d9055f4b1cdf7fcc901

SHA512
91831ce4d671d9ae29e9083166e896402d57226e876738a0e3edcc23ae7f4144ad86563447c4b7a500c746da3e9e3e7db27ab3aa77d65359bf0712b65e3bd790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a2f02c3d6e2d16e24988b6289647682b

SHA1
a4c8d89ba7ab7b4166ddb584075c7486f5d30bbc

SHA256
833a8fc914df5273a191d853fac88cdb9de19228d58bad2ec33c55071d6fcb3c

SHA512
a6e7db8d46eb0d8142ffd54cae5330fe2505342cf5330157d7e08cb5b3b53408ab9175386cd7f24c740121fcac1f0d937cfbc39b327ebc31ce4245c0bd40512f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6e4f55c3cd09e13da447a0a13431762

SHA1
eda9af10c0ee6a6e2cd1026c9c9a3a0d8e309bd5

SHA256
bf77a69a6c5cd45877b7c12f77940cf30a3713652a5e1315b48382d8d1ebe958

SHA512
d573dff25e0841eb48ac4df5a3b6dc90d1eb2e228521c34d864ac25b0f6af418e77ee812ad7f9297f61409166f4a70de2ca41d732c56f21e3a627ff0b3c4be89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be21fd02fdc141a8e2ce935ea8e769c1

SHA1
b939b9562267fe32fa469b2fb42e09e1a2e3f005

SHA256
96a89d240951c0b5cc9d7814280a2965c75a0270c0dc26c32d7b57618c2a3c9d

SHA512
ada8bf810f2723b7985719ebbe6ce3b56bfd09b7cb20a63cfc6f4ada8d76f063c51fdd3eafd81c6cc3bfc80522733a6139f1d863898503664375df5df7c6a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.3MB

MD5
7ec81b32f50f2f3be75fcdd71c770870

SHA1
19b57914116cc6ec81689a2278ace755ac1a791b

SHA256
59b61865020484143818596573bfde2f34120f0a2dd525d191f8a26d5ca3080c

SHA512
8bd18dd66fe486ab14c2ab37d8ab0bf211846353b0508452595a01bf11455291b602ce21418a6cd97b39ba2b65d62c819532add59be4de0c2bce6c3254c81602

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
101KB

MD5
17433c6e255de602f9c44d856024bf16

SHA1
2d896cb5c4ffe22e4e0afa9527a9d6e4e70b26f6

SHA256
7e8d58f95491f109f785663c9721617ff95d16e759701d66fa8d297a83ed8f48

SHA512
3ceaa6d2ac15f9efc81f18fa36213f3c50a29e5caa44fa130a94a575cadf723b2c726aa91851052d4a349438f8a20bf0e2734cce7cb1e28c95dc049122595dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
101KB

MD5
67109fde879af1ca9ef5e5d5d9a19f9a

SHA1
410cc3bf7c947edb1768975da32f84dcd9de5aa2

SHA256
2d026e24e9020251182e2e2b2ac3325b417352ed3b95beff416d2f1219b5b940

SHA512
d8e52c56c0eb278669e11acdb3829ec2b43d526bf0af64af7d949a703ef6357855af42512d54408ddb9526c4deb148060c9f110df90ffe2b76ce6a0f5012601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
101KB

MD5
fdec2403c7ad8bf740a2091b57f274e5

SHA1
e22542647169038d571241af64c9f71a3e5f5973

SHA256
b543750a8c4ba46d3c2d4d644b03229c3f1334074a0b8bf644030ae48e598fa6

SHA512
a13dbafdd44249bf23acc1ed9d7fbbab5b96399cad2a0a7ecd908f2e996632daac42f4d721621b67c05809f1bba44a5be20bad40d26134251de064cbdd92ed3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
fd00fa1f1c0192845e3c44cbd4d5bbab

SHA1
9e12b3cb87b1742ab44e75de1c57f9d213161a7b

SHA256
4ee135e34c3fb1fef1676edf7116ca0cb4a3d059cbff5777714fd553dfd594b7

SHA512
a152fd49a320f92d8cbb82badad16d98d9990fd1db9d13e9cdc075de1ac367414d1353e8d278954ae2c32d95fc81f0774b6ad79f88d5755488506747cb495c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.7MB

MD5
239b7b01a0a653b79e241112d31ad859

SHA1
c1a0be543bbe3dd686252a0193c33f43f80fad8f

SHA256
b295d6686aedf46611587ac06cbf214cf80dec59c05050a32d50d524bcf89963

SHA512
f42667f9be2ad592ba06361a12b89842d4717adcf93163304e5019ccdc2c53665fc9707f0652bab834c697f5827a1f0fd3275250f940833c12216900f9aca2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
479B

MD5
4ab2e0a497fed95a60c88c38490792e3

SHA1
bf384d79104af541bde5fdfa6f55ef689ba44f56

SHA256
28225a667c6a973d5cd2fb05ba2b0c9c3d258d5b9cde93bcae42fb826f959486

SHA512
d5af5132eddce82ee657c0e52386f0f44f6c99083605311a017b15ac1feaa9c239c30613a5224540c222fc7c4cff21eb9c1ae0ee18be3557bf6205beaabbfe2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe

Filesize
199KB

MD5
66cad6cec7c006160d7ee00e68d3e613

SHA1
214d38110bd8dd537f065c14d9edb1d516b215aa

SHA256
52409566790c9ce35688f0fb96596a1d62912733618ddc1a4467c58d901fc760

SHA512
a2a6c47816943641f968579bc40402f6542b44b19f81a9ed736a096d3322e274454e458da9698f13b58ac18463a6f2b7591413924239b40f11952a3c5e0ee836

Download Submit
C:\Users\Admin\Downloads\sansayrex.rar

Filesize
2.7MB

MD5
ab3fc014b70ca478c3d69087822bd477

SHA1
7af220ee31e5c62b7594f708b5db767cfc636577

SHA256
7741cd9265cbb2052bfa489dc62a467b00362e720632c3d620ea939da7d756ce

SHA512
c3757cda1eabb927a19c3e69cc5783e179a1ad1b6b8ce878a1738f69f695dc3a15002e64993d9b87a11cb6e0fb77a7887c5d4e14286c0f642107fb49613f2e92

Download Submit
C:\Users\Admin\Downloads\sansayrex.rar:Zone.Identifier

Filesize
65B

MD5
27ade5fcd17aef49f45054c70143650f

SHA1
e8b6b3c0d1ba3a1e2b4f3087cceb2727ab6fa3cd

SHA256
003340bd05158abe7dc8029645969df0a793898da3a2901cc1e8ec91c0e76878

SHA512
8cd7e599162e36982a5010e08c0b6efa3e358e8eb1f224785281e2665b61f9ebc8ec53f1539d1be4df6b609a9b4196c76045912906d4a8e5a9072072cb996b00

Download Submit
C:\Users\Admin\Downloads\sansayrex\Languages\eng.txt

Filesize
20B

MD5
6984ccdc90dfe005d053b0f028241585

SHA1
e46291cdf852002ee181b8d005637e39882aada3

SHA256
ae32e5572c95b5fb5b23e528a4d844206c751bfc82a7c32723677baadf805d3b

SHA512
dbd17fa104ef4ad28ece0e65fe4a289418ea39000a096ab02cc22f6bcfea20546f06bbfbadb5fb54812ccd87638b29fe938514f139b17d9c14a20c6db64bf6c1

Download Submit
C:\Users\Admin\Downloads\sansayrex\sansayrex.exe

Filesize
2.6MB

MD5
a25d399bfbb718f733d4113e44f33020

SHA1
1334d12a30e493d3a766462bccd81750b5268b9c

SHA256
892535a44436246917c024c5ee1b88329f40a349e50b62ad418a6fb4f7455c2f

SHA512
d3f19995ba0ca103b0f2973ea3b357e039c1bc66584c3028c462bfac9e443895de85fffc70ac2ada6e9fe95ecb613f0e4691f02f2d9cd237745710b5ab266cca

Download Submit
memory/2148-357-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2148-354-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2148-352-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2148-351-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2148-346-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3508-286-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-276-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-282-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-283-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-284-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-285-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-277-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-287-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-288-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download
memory/3508-278-0x0000029E465A0000-0x0000029E465A1000-memory.dmp

Filesize
4KB

Download