satana | hxxps://github[.]com/ytisf/theZoo

Analysis

max time kernel
220s
max time network
220s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo

Score

10^/10

satana bootkit discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2D4D09D6397AD51FFB2C188ED0EBEED3 and pay on a Bitcoin Wallet: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2D4D09D6397AD51FFB2C188ED0EBEED3 this is code; you must send BTC: Xoq9wmiB1vbT7WAkGZWcgex544YGdC93Eb here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Satana family
satana

Executes dropped EXE 1 IoCs

pid	Process
2136	vxigadz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\oefh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	unpacked.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
89	raw.githubusercontent.com
38	camo.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
84	camo.githubusercontent.com
86	raw.githubusercontent.com
37	camo.githubusercontent.com
87	raw.githubusercontent.com
88	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	vxigadz.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxfs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\xfs_conf.dll	msiexec.exe
File created	C:\Windows\SysWOW64\xfs_supp.dll	msiexec.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSSIU.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSVDM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\LIB\xfs_conf.lib	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCRD.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSIPM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSALM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSBCR.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCHK.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCONF.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSPIN.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSSPI.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCDM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\DOC\LICENSE.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSPTR.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\Read_Me.TXT	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\DOC\Release Notes.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\LIB\xfs_supp.lib	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSIDC.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSADMIN.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSAPI.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCEU.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCIM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSTTU.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSCAM.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\INCLUDE\XFSDEP.H	msiexec.exe
File created	C:\Program Files (x86)\Common Files\XFS\SDK\LIB\msxfs.lib	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1049769865\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-es.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-eu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-FR	msedge.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-cu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-ga.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-DE	msedge.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-de-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-hi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-it.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-ES	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-IT	msedge.exe
File opened for modification	C:\Windows\Installer\e587942.msi	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_142107326\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-sk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-sl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-RU	msedge.exe
File created	C:\Windows\SystemTemp\~DF1F90231997BFB358.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_7867698\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1049769865\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-cs.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-kn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Filtering Rules-AA	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-et.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-gu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\~DF5E1918E8E45618C9.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_58988924\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_7867698\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-cy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-nl.hyb	msedge.exe
File opened for modification	C:\Windows\Installer\MSI7A8A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6268CFE621BF0E2F.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-bn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-la.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-lt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-nn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-sv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\adblock_snippet.js	msedge.exe
File created	C:\Windows\Installer\SourceHash{05DEBE9A-1A35-45DE-BC6C-BD08ABBCE3FE}	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-pa.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-tk.hyb	msedge.exe
File created	C:\Windows\Installer\e587944.msi	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-be.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-da.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-hu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-or.hyb	msedge.exe
File created	C:\Windows\Installer\e587942.msi	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_58988924\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-as.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-el.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-hr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-nb.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-sq.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\Part-NL	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpacked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vxigadz.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006ff5154e0b80d71f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006ff5154e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006ff5154e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6ff5154e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006ff5154e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875107733456745"	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF\ManagerFilesAndRegistry	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF\LibraryFiles = "SDKFiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\ProductName = "XFS 3.20 SDK"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{205AA7C7-0A1F-414B-9315-17523DA7627F}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF\SDKFiles	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\Version = "51642368"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF\HeaderFiles = "SDKFiles"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\PackageName = "SDK320.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB9CDF5C1AB2CFE4CA91C8505780A2F3\A9EBED5053A1ED54CBC6DB80BACB3EEF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9EBED5053A1ED54CBC6DB80BACB3EEF\DocumentFiles = "SDKFiles"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\PackageCode = "6FE6C339EF8D0204BB283E12F1594344"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Backdoor.MSIL.Tyupkin.zip\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Backdoor.MSIL.Tyupkin.zip\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB9CDF5C1AB2CFE4CA91C8505780A2F3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9EBED5053A1ED54CBC6DB80BACB3EEF\SourceList\Net	msiexec.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Backdoor.MSIL.Tyupkin.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AntiExe.A.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\vxigadz.exe\:Zone.Identifier:$DATA	unpacked.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5684	msiexec.exe
5684	msiexec.exe
1444	msedge.exe
1444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1836	msiexec.exe
Token: SeSecurityPrivilege	5684	msiexec.exe
Token: SeCreateTokenPrivilege	1836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1836	msiexec.exe
Token: SeLockMemoryPrivilege	1836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1836	msiexec.exe
Token: SeMachineAccountPrivilege	1836	msiexec.exe
Token: SeTcbPrivilege	1836	msiexec.exe
Token: SeSecurityPrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeLoadDriverPrivilege	1836	msiexec.exe
Token: SeSystemProfilePrivilege	1836	msiexec.exe
Token: SeSystemtimePrivilege	1836	msiexec.exe
Token: SeProfSingleProcessPrivilege	1836	msiexec.exe
Token: SeIncBasePriorityPrivilege	1836	msiexec.exe
Token: SeCreatePagefilePrivilege	1836	msiexec.exe
Token: SeCreatePermanentPrivilege	1836	msiexec.exe
Token: SeBackupPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeShutdownPrivilege	1836	msiexec.exe
Token: SeDebugPrivilege	1836	msiexec.exe
Token: SeAuditPrivilege	1836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1836	msiexec.exe
Token: SeChangeNotifyPrivilege	1836	msiexec.exe
Token: SeRemoteShutdownPrivilege	1836	msiexec.exe
Token: SeUndockPrivilege	1836	msiexec.exe
Token: SeSyncAgentPrivilege	1836	msiexec.exe
Token: SeEnableDelegationPrivilege	1836	msiexec.exe
Token: SeManageVolumePrivilege	1836	msiexec.exe
Token: SeImpersonatePrivilege	1836	msiexec.exe
Token: SeCreateGlobalPrivilege	1836	msiexec.exe
Token: SeBackupPrivilege	4736	vssvc.exe
Token: SeRestorePrivilege	4736	vssvc.exe
Token: SeAuditPrivilege	4736	vssvc.exe
Token: SeBackupPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe
Token: SeTakeOwnershipPrivilege	5684	msiexec.exe
Token: SeRestorePrivilege	5684	msiexec.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
1836	msiexec.exe
1836	msiexec.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4036	OpenWith.exe
396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 5520	3556	msedge.exe	82
PID 3556 wrote to memory of 5520	3556	msedge.exe	82
PID 3556 wrote to memory of 4944	3556	msedge.exe	83
PID 3556 wrote to memory of 4944	3556	msedge.exe	83
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5000	3556	msedge.exe	84
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85
PID 3556 wrote to memory of 5008	3556	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ytisf/theZoo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x26c,0x7ffae6a4f208,0x7ffae6a4f214,0x7ffae6a4f220
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1724,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:11
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2552,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2216,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:13
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3396,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3412,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:14
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:14
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5508,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:14
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5896,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:14
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:14
  2⤵
  PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1148
    3⤵
    PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5896,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:14
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5560,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:14
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:14
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:14
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:14
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1980,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:14
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3468,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:14
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=3604,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3616,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6236,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:14
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=764 /prefetch:14
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5616,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6332,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6320,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:14
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:14
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5748,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:14
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4480,i,4150279618845573495,10258152703310870217,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:14
  2⤵
  PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5672

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_Backdoor.MSIL.Tyupkin.zip\SDK320.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:396

C:\Users\Admin\Desktop\unpacked.exe
"C:\Users\Admin\Desktop\unpacked.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4720
- C:\Users\Admin\AppData\Local\Temp\vxigadz.exe
  "C:\Users\Admin\AppData\Local\Temp\vxigadz.exe" {1030d5d9-0076-11f0-9ec2-806e6f6e6963} "C:\Users\Admin\Desktop\unpacked.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2136

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587943.rbs

Filesize
13KB

MD5
4a72e4809d07ae4171e723b9957e19db

SHA1
b3d16a774f8fb9939edd647758328c4e8c57f6a8

SHA256
28edd6fbd3882bf1a60841645103a0049652d491b0c3e11a51e1826630384283

SHA512
36150229d02cc860b55332553467d0e2d0325b34b10678ffdb49b7a8852e870f8b89398be9eeaf6d3356df01ef55fe581337b178d0e312b9ed230e46f347d5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
623d0eb0c4a36135a270354557aae018

SHA1
864d2599207960d2aedba50ada4a3b1b2a5a8b87

SHA256
52b485675b621aa85ff48f5cef95a29f845616b63d9a683bb7503f324cee3d03

SHA512
685e69631c295fee7ddb6bedccb9ddab7ac0fd5d5476f5236ee22d7b8af871f9705be8f30ec71b0bfdeabc69927be677942bf8bfcfbdb7ed1151e7dfe80105ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
6b25decf46b9b9d262deb97022a1ed14

SHA1
a32848e6b62f1a7abf50c0b905498ad1aa3a618f

SHA256
301bdedbbd0138e439213636935f96102667594a01ed0bf31e0d63116a221868

SHA512
d28c49f5b351658cbd92d51905b6e143166e7d19c88eb5fbcde2a58282aa50efdf4d3a195928373f0bc98a9de7c756d2ee94a72fa0ec5f1d4c68f54c3219e711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
9bacbeb5c48af02c9bde4d7a7ce3bb3a

SHA1
45865b5f0be5cefe53bdaad824ed220d7e0a9bf4

SHA256
6e29eeb5f5e8bf4f6a876b19a09d6b11ba80d13b00a890cefd316c56d76b3e77

SHA512
979e517fd48c1f51f06cbd4879164f680167e700f69ede9876b652b2b4e8eeaadb533f8abfb2627e48247d86de893b8ed2851abfd883efa64a61b7fe35ce1d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
89028f37d293a4ce9e4fab2eac1db6ac

SHA1
f9f86b50453ea2590953ac43022b7b944c4537dd

SHA256
f21392a0c01e41ae467274fda3e52551743953c114b0219e65d97ed4c0e1bcf2

SHA512
0050e6bfc54acbd27ee800d43f0b4ceaa5bde9dc1f438ae4e7b1f68b3b23f56fa80fca8e6514d5e845f89e83f186c36d98449a7b6592881ff0515fe31629bc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58580e.TMP

Filesize
3KB

MD5
ab818e74371967518b89383535a97a4d

SHA1
a00eece5c44b9c40d30fda4da31579892ca28533

SHA256
219546c35e5fd632285d65fbbcdacb525c2fe4c4f7b79c798b9d59ac71687d51

SHA512
fda9163679c0bad005c5ec324505d7885590fad3252d22a713c0347c2f07fb5756cc9515c7abee6486774d66c6be80273531f9e96523e838f785b4d505b23253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cafd5b16b9c4241fd38064be4acc8eb2

SHA1
1acbb1c4fa9a84e566176740438b0751663eda87

SHA256
e9b26dd435644fab37fba25240abb8f406b6aa7ac9a852f4e326313c8c95129d

SHA512
81b24b0f371caa28282f86ddf00e8496a4379884684cc0615c31219ea239359aa0ac47d43a63951dddea44559c6a9f3669165637c52854cbebc0d7298004c4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f257a049b1ec290d95d6c0e3a6bded64

SHA1
7c94e51c52625dc3d3de5eed85fac60093ec1178

SHA256
89a1d10b6dbff736ccc17ce9724e27adefd917241be5fc7c276a9c06f356c495

SHA512
c89ed67d73b48b051fe558e5ee7917990225f03490e4287730c6eb7e065bd3ff291487a32f99fc45711c6181e5d824b741d06dc5a77f27e082f47aeea102cd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
569b3198ef81287e2271fb664ceab673

SHA1
ab2a50dd47c6857de62a6c292091d5c4b3612677

SHA256
a9c28137d280a9b5b63b2917d9825b6dbcade07ea43ff2d9403374805717f0a0

SHA512
6a428c7f030b24d76fb72697defb7968377954855d6f54143c4cf417c36e00189a42f93d12470892d66bdb967dc0d004599111aedbc087eb80adc68b6ea36220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
bb5f2540e780fcf18bada6dde40b025b

SHA1
d3850056e65905c2e501aab6be622aab15a6d4f5

SHA256
7ce8a2e9b572cfee54a7374c3150f8e0a0c85e8f290d734195a94b8137c6b211

SHA512
7b635c3d93fa204157fa78063c91f7a1d732a0f630254c65fd5092b78d6f8bb7252b292df26a1e6834b51c81028ccf9d0fc35f56ddc1c1584b6a0e14cb531931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
f08c6c127ef959d6b2352b0c161da23a

SHA1
d4ca6b811ded56d0e425ab8aecdde79ed64ee075

SHA256
15e7da2068054ec95cfe2a1052e5b270eb899f3929e00cc4468e8477ed1f20d2

SHA512
d0689e6173029e4ca4b1d3aa2b8d9c72f5980b9deb62959638d19a1b6150720c1256314e7da1aa2f4ff6a6fe68ce2216215b41009e9c948ac30d2cc73db17c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
5381a998b6e85f28a855e3e97e50bcee

SHA1
a49868e4bb990df9bbefa904913706975b90b0ed

SHA256
043a340450623300e465277311436747d7d47b881ccbb963779b2dd2626b517a

SHA512
df547172fd89428d9389738da4c8ee152f3caa44d5df6a7182396874c24222b5899b3eb9822695006e080d0b4b8fe2db25a1d8efdb0acd9805b6e468f6c739e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
31dfcde8fffeb9dc071460c3a42c3a01

SHA1
c44ae2201ed629b440fe6e6162726dbbb5bc7aba

SHA256
346f64cca6288e31896de50733c8307c5a1c01c9e0b523375a154c6e7e18248b

SHA512
2c8434c8adcf4711d1f7abc9860b16126578006b7102ea4400742befa2de040f5f5a320330c4c20a97c55e6cdbaae4d11e65854120a8967b897d04de7a974667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
e29d4bd84d7809b79e7985ad73b7a285

SHA1
94084d87a54df025fa767c8604bc1212f4e1b2fc

SHA256
5677cc54b835899dfe0299d0132c4e129efc20d9a7e6cddc619e7fbdfb8e31c1

SHA512
48c2a5aab0138fe4f7346bee2706c1e3e1229e56d7d08a9c867ecaf2351eeb80ea296edcb48c28cf62caa70910fda204dbba339e47f7497bbd4d1a79d0861269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
d407b451110b8328506f88f3033310d1

SHA1
27929a71469d11608daa36cdf8449ddfc5739114

SHA256
2c492baeba9c1bfad252c58a30a0644c22ab46035689315d6e96940377462bf5

SHA512
cb4a7e884d591e7c212090ff6fce0c0c24cf98dd58ccc94647cc641f5eacbc10f47c25261f36b0a923f4ed01338b4d1366c99d0ca148ea604aa3cbd8ff109c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
0cd19ddf60b920ace214107c3434d258

SHA1
fd64420b8cdde46bf078ebd4ba6fd3536fc15730

SHA256
7fa54c46e84ca1e3d745c8f8a281658743d959d8aca1b2b7c0e462ce1fc74c18

SHA512
b11f27a5153ab9f1b469d403fad65bd444f7f65440dbddea2707052817ed81f6baafe9da573b0e6c487ab7cef6c825e0eddba11fd43c5815d3b8d8feda44bd3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
f56cc2ea806c7b7ec39255e33853a037

SHA1
6fc8c6fdfd896f4c305a21eaf55d61287e66cb11

SHA256
319ceef835bce7ede8e732d35df0c2ddee6e60569967e2d3fedc689f7365f9fc

SHA512
b9f371d7cf926eebd8e0a082fc652f4472682de55f5b12c1606c0d192aa392849617e8801d35456b7d87719adec00bcee1510cc267a14887f638b8d6bbc59ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
cd3474c020be3db13a582db2f4fac57c

SHA1
26d3ec345eed12024ce3800d98b6c4f7bbb7efb9

SHA256
5a0965ffac7abd8983c5b12480590db901a359ca257d047b49b567df56983372

SHA512
a084f7811b31f303a20038e94e6f3beb7cff5bda264a46cb7d888a3b548ba638b7ffe33059b1a49cdbfafdca14d6e2c7ba598921f480fcd905806c33ce2365d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
85a9ee399921cc4d35a9e65e61455ebe

SHA1
f862f0fbbf698b7b23f92d51da41fdbb1edd4287

SHA256
b26b7820f55e7e7486566eddeede17746ee6120111dcda9249584d7ef272097e

SHA512
d2ebc700cb1ba65e365f529e245f731dfe355f63408d6a8d32a75b6eea3078b140b6a53e578b9533dc54e6af1256143451ade850b01ced727d8f5691b42426d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
c3a52b24090aa6e36c2f79aa14426777

SHA1
9e64c26e26984c5db1b8318fec49821a80fa1cb3

SHA256
82e0fd8ceea45aef4c424344f4fc660baf4f88618dccf67571d9c9e776045863

SHA512
3c641ae28c9d1eebf92863cd32ae567af00014650ec82b3cbc5a9f336e5a68a21fbe9c61cec4fee1c04a2c099330b7a6be06eae267f23faa3ea7e644f672b461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
951e61b1723bd1355ad3e0b3fbd29e66

SHA1
a9023bb73caa07f7e247c68a2972a53343db0adf

SHA256
ea67d5bed885055bf38fcb986c6ba61871a2c2b9a71daa4142099d23cb668288

SHA512
75e66dcfe1b24c8fa3a106facaf3417ca276f38e723072c4cd7894c688c34da176e733a1fbc033371c4d6a94b5d5c8c0402133ebf443c860061c6286747ac090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
66fb82994195951a69e0721fd1b2ce26

SHA1
87d04164fcdbd2bdba10399a58e1aa41f2d6f085

SHA256
3a5eef0347054bbcf0e3e0263a2a560c0902daf95e3f90f039609d20b5462bf1

SHA512
3ac631ea999a7b39870b44cbcf2fd48bceca8fdf96e2d45e5804b07459fbb940bd1d244d19b3c8e90033b3c8b3b916e91789947d0f3132e2c44199de25dd3631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
fec2efddf175d9297af01b93f209056a

SHA1
90c2c8ab1faae30734872eab044fe6887c44592f

SHA256
af9bb0b3feaa6ef0033fbfa6b6db2200739be6269431f477641bc99eb8145309

SHA512
e341df7e38eb9ce9239bb2e7f99cacfe5a282cbebdbd8521db0704fd264fe099b4edc99c17f8d9b902ae61f92aec8da857dd990b77a31af27679f51bef055ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
71e1b7d7e0d088635fd70d571d7e29f2

SHA1
27f422ef07a4b4ebee53ada3f31d6cba267d543b

SHA256
7ac7d0cf5798392feba1a6621404bee0e8cce2affa6ad23d45574a92c506e79a

SHA512
ae493834a510b8b32877fd1152ae3f9e7dcc0b2afb90c852855a7fdb84834e03ecc23b671dce660aa3e888440fe4fe017321cd76988d45ecfa5dc58365b94a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
bed469baf5148908966659f05b3d5c61

SHA1
d4a4b4100a72626aa8b24b115dcccd51cb7dc56b

SHA256
fd3640620ed17ca679f83b9542b248c993744af539bb579731745257fe601d17

SHA512
d206c08120d1a5be1468a464520d7c7a17bd0df6228a47ef49693f3b718232f5e264582489bf2411cca79d4bfb429c58843b501611f0808f3264c64d8f5532a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
8078a63174e8f6daf93ff263edb21422

SHA1
f25c6ce522d8e852e11631591efa4f418f4f45fb

SHA256
f40e36015c456bba3a93f054c87519bda53f90f7a9d720b4a1159bf14f852b54

SHA512
f9a06ef5d562aa8322f9c2974cbc060b8f7f02f15531661b8f2bb8ca76f9424c75651813df48e9467bb671174bd68c999ab1120f609a1699090c499259ce0a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
796bb72c8918f7df94c652c27c03049f

SHA1
0c95b50f54f133423dd1691846a5668e2e3c884a

SHA256
d75feaaace41df310740a6f8bd62eb40d74e1a3df9cc3e2474d424d79cd49636

SHA512
c2c9c7cf8bc73edc03d75bf189b5ae33046764e55ca2f2af1847048fb60637deacbcf93f99d2bdb96d54d7ccc59b524604e45d376cc5b9e47dd65b057c7b0117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
9b25921cda0fbfab9c288162d54c4c15

SHA1
8b708ab8b8e1865bd35b28ab7203310f998ffeab

SHA256
205e2df9f6ccd6ca95b461f78bc1de2d90efb023d91468dd10e882e3e6cd10c8

SHA512
9370e9a3356e4ac15a68ced426f73b3ffb496d7102d2ec95e0c0f82fe3a48746ac59c07aa0ce2861a25eb0b5e0548d027357d47434cf3f044af230582dce9d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6595cbb74a1484d1177c44818f6e7483

SHA1
8e770049279f5436ba53bb80c24bf035ee0ddea9

SHA256
cb5cc8d9db854b1560a0c03903dc55945ccd37c6e89253ef014d160d34dc5323

SHA512
d2a0fd921457c4e2c8735661a88311044d876058730cf5080874cc0e42e7aae1b595539d6574567285d1ecb38924c7ebb9b00088dd27572b7af3eb3e70b94b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe586915.TMP

Filesize
392B

MD5
2333ce7ddb8d2c087cc68a5849b15ab3

SHA1
2e1564d19c733cf1e58ad5cfce3faf34f37765b7

SHA256
114d1d6f8b3adeacffb47a392d5fdc975b0bb7f63f333ac3568d3483c1c9dcf7

SHA512
2e52d0b967a15ea8f347484d8470794c661b3332f366fa1a8a61a6d89ab2be79c0e764cc98f3fa5bb551a084ced04ab79f6cdbb7cc8465156e6503abc51dd4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.26.1\typosquatting_list.pb

Filesize
628KB

MD5
7c411ccffc2c011ba155c4bae74c9217

SHA1
6e0f96399bea0c45b188caf7c11b2549a2bbb551

SHA256
71529860ca9874c1b29017b1b4846986d14f51f9f60dcbd8c7af7559cc0e0ac8

SHA512
cbeba7735948e9565f4d7ee462366693a6915758486c5d7a84a4d6eaf0bcac948f579e91d883e1d6ffa27268acd10db86f02d7f9111837c757349e8cfa8fc0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Filesize
1KB

MD5
34f217e7e9f53d01330838b8e1737909

SHA1
610879c753f7b240e82d825356219e1c80afb417

SHA256
725ac1a6f1ab10e6a8faac4871ab0ae1baeecf95d50b0903751f34475b18c8fe

SHA512
c1201f6daa121e00ee7643721733175dc298a4de62d65181221ce820b1eed4b37462af1d90e43d6be2914dd557e66de4fb6cf9a51674feb8376b53049e8e7327

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxigadz.exe

Filesize
72KB

MD5
108756f41d114eb93e136ba2feb838d0

SHA1
8c6b51923ee7da2f4642c7717db95fbb77d96164

SHA256
b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c

SHA512
d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxigadz.exe:Zone.Identifier

Filesize
86B

MD5
df98628703f0cffd2704fa16ccc69d4e

SHA1
4bb8491eb44a8991058b71ef1eeb0d865ee055c7

SHA256
1d6c0da412b7a4df76d64cae7ed6ad600bc1ca19db7a79b52f619097e76c8fa6

SHA512
e51a356b78b6a56b2cb4541e91316189aaabb60699a76fcfb29e26294e36e7fedab3888989e6925ea86ba6654018030ed0c5ae75e75214c3864e1a89dd6d9e82

Download Submit
C:\Users\Admin\Downloads\AntiExe.A.zip

Filesize
3KB

MD5
8cee47cd109adfa5c5816685af873909

SHA1
8fa3b60ea7b526b46ca22fa6544443a670a7de46

SHA256
93861a8aa9a4f42489d029c64bc0599c208971891c70a9b2192b60e20c57d3bc

SHA512
b24d2f10927d10520e017151c0184fabca08691119893fdc04852c7caa775fbcbad29c7e6a20517c7791036d42e18b0e4b4ded2babd1707546612cc12265007e

Download Submit
C:\Users\Admin\Downloads\Backdoor.MSIL.Tyupkin.zip

Filesize
574KB

MD5
69fbc6a70b315d827c524bea4b899c44

SHA1
38ea7bae684864714599fb0d1e7f702967c5a35a

SHA256
fb07fb7cb7b15ecb86920b74be2ec2b955ae356b464baa7415a7f257b0c02e98

SHA512
9ad9c936bf869c30b2b0ecda4f362dbc43647ab6c9c0a8ed6a7ce12e7c42e6281340d93262a01c9ceb55765c05ea6ee043104ce9f178e3185c1fed3f18efa043

Download Submit
C:\Users\Admin\Downloads\Backdoor.MSIL.Tyupkin.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Ransomware.Satana.zip.crdownload

Filesize
57KB

MD5
82f621944ee2639817400befabedffcf

SHA1
c183ae5ab43b9b3d3fabdb29859876c507a8d273

SHA256
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

SHA512
7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

Download Submit
C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier

Filesize
271B

MD5
52d622fd345f4399fe6edcaa2d832330

SHA1
38e9055e160e561b4f82afd2086062d45c82fa8d

SHA256
3566a569d78ec1f13308ac8040b4c0aaaf45af549d3ea716afc0e3099101f055

SHA512
622d81dfd95c05f94c3c2c82f07e8217ea91e79bb6db57e9b3f84bb1e722c8a213f0e1b8c3608fa316357ee50b107c9d2e577c976ee2afe29758e35d251cd132

Download Submit
C:\Windows\Installer\e587942.msi

Filesize
457KB

MD5
32d5cca418b81e002bb3fdd8e4062bc9

SHA1
798d6d8adb449de0a3903af062c8edd8e401c2e4

SHA256
6303ee28660f9d8bff4a494f96d681a2cebc72e5abc1ac3b0fdebcddbb7e0b8d

SHA512
8321b57b238076b88277e7f7bf38711ff854bf92ef25916c0985c6d7f152b7d566ab27b09be550a4cc235aa335f6ce2eda95b07911c21af07a9148212df5c33e

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1049769865\manifest.json

Filesize
118B

MD5
86095c966115d8fbabfe3e7496461e73

SHA1
9f6af2a9e4608c25b5c9257acdf77ba9838abc1d

SHA256
9313c1c29918e4a75e85b3146647555080286d61517f0ac9c62c1993e274a6a6

SHA512
51970ae96e6af2a2dbf086ea25a7ec6912a76954346dc85c885e6fd81128699abb14b368b09dd18c5d34183734fc6cfc8dcf0db03b916cd1dc21af7180653005

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1284517094\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_1412040676\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_142107326\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_142107326\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_142107326\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3556_7867698\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
0f7ed139c2f93d4c49446a518f358a6f

SHA1
6477a04e151ceb60fbe5238a0768c1452c217065

SHA256
45429420393e46135da530b71bf82da923cfb6da60ee855d07d799d815fd654b

SHA512
000fb419e9c74eed2589edecc560b36c87a8551f5b6de86f6f0084cb57ca693597e10614f5f6d784bc2d4b47d46480a7bec6534b07688548c6aa9fbb450bcae8

Download Submit
\??\Volume{4e15f56f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5ecf4093-bb6f-4367-9ac0-0768fab3066b}_OnDiskSnapshotProp

Filesize
6KB

MD5
4a2a219144a5f8280a2955b2985fc862

SHA1
98542c6d3e91a09a890f3d0438739a783eb83763

SHA256
84941de5ecb84024df374d4c2368cb58755a2bf1055b2db83efac775731078cd

SHA512
769901c00bb645994c58e4b4178665d55c9ed16a19e8fd551fb409a217377a5f45a4832443589aa8f5ed2d1ede8252173bea739e4437ce1810f78f1a622be514

Download Submit