maze | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Size

473KB
MD5

f83fb9ce6a83da58b20685c1d7e1e546
SHA1

01c459b549c1c2a68208d38d4ba5e36d29212a4f
SHA256

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
SHA512

934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
SSDEEP

12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\odt\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">y7FTDf1FoDvQ4S96JjuPIpXAEY011pT13088nQHgnguwIX/5njEUXPJ7dlotM2tfz1PCsyeKf8dGkix85wkCNWG6KKUerrHJt+fWH2caaSpwf6qDyteotD//+NJqMr0TeVdR3E1GvSJM2p1ya8KMzsSdp/rjz7Wrs7DDcJkPm7gQtxJfa8B8XX4tv6GgslBjEAuo6eiXHAJ9wioQzCgqpBfu0VcZU0E3nlhgTBeBU6a2PwJQMCW906CNcVP0QGNp2uMIACjmIq8dHjGoHPtndXQAIwr+mM79AXHrgGtEpSsY/WouJNMtzEWhno4NCa0Qe4AtYmXFQxr5ZCuvSU4XR9rSWixyNtXmApzhArFb78E844IbGCbHJOPoKCjsvdBlv181WffojYvo8oeDSMG0PisihdmzacU/nSRjC12sm+1/lAblTI0HhCwEQQUM8mlBl2pQQh5KV1KGNMIqOOGy+rc57s2ZtvDBcmX8fO1AOte3dneorhcOpspS6mbCrKlZoNwQxuTWlNKu/nBesKBRaVAGHxvK+IQzbzBg8dfj24c7n1zP1V8u3JP7KabfTeScDU6VFV2eQZBWeW0I2VH/9ySI0FNPxkrWl473EIxUSLF/LASHCBRPqLNcpjTX3DPZatdGfr0tDWNZf1DBQF4W1mwLYQxuULR0Ulkk21QAEccOJZSDZgbZPkQ6hIaax+i7BkS9YRlHkqFlYWl1z84HM2auf7kVvdA9uaQCnaO8wRj0TuWhDC6EpKH9r7DxLvFiG3eJANW3StjHuPT1J8LI1Hh2JpsiVzABzT6TjQ6mZtqTmz0d+2UMfMYmGC0ZNEwC+ga9jMT/7ScuBsBNJ5V2RezHBP9fJgv3KIkFJJ65w/EDM2fatEf0f0pN+e9kXLB6AoFuQY6JyUUzq/icHfyGL47C/uUkNBbMyuR+Jju9mTxEBT+4HIhyejceKneck6JRD253Ep47y2Mmr1XAOD5H37lZzaNSP2o7TWukC+a8M8ebZeBlrWC3UIR4rP8BkHTJelE6dASGLDbiYjz0I4JETg93aXyNljZh4DOnZpbOIyo4cp6TQmih4Lnv6hwBhPsqowr8SRYOn1p4gBk6B4D48pEXaWcXXRx2+9zx39da9yxCMlVsLmCndCDzA7qv3q8qTFFqHcGmPEQiW++GE7PIr15QzNgcGIs1o0zTNnRKeke1lePxjGEJTRL+voZQGYd2mTxyJGW0Z8Pko8zCzw5vdTFWlOv8+zv3SIIzoMu9noFqHgZuVmPkLBV65t41PAbAdx9tYcYceUXzk+DVWF5iBz9TVS1uuCkjqYTervluevc0RE1nRitTXOcKfarRC1MV/jBtOtDcvLHdvykvpio55qPK0jqVy5S81ZVnRW+SonWrMFMGHQSIGS68zPXMwdtL+2FA/BWOjZb/OZ/Ar8Yu1p1AFm+CgGii3PK4NYD3jDcJIpSEIbWYIDpKj6w9HDASNHs7rTf2eRrpVMPmtZw8gQ3IF60vzDHa7tbrnHn7ACTmrGQ8AtV7OAArHm1/Y6qXouLFfjVAvpMLZsDcirU10dpZpTB2LG6PUcIZ9L6YdxVvFB6K0XgqRj7PWubWGli1bq0Wbq8plFXUqzh/zFxzEA/rW6rSzlQ/1nEZdxc/nK0BbOxtgnI8U9cM+3ey/HgCT9gVDl96H/NBFbt1omiZ480KpArn+iUR4DPuEphm0d5vngtBKkt81KTHXhukox/exVaGI3tNOK6rE+RjsRY0pKdt208mhQwVU8h10TdmLz31GFzbofMPB9ArJyAcCkOfpLRWp+k7QxdKwpXcb+azdBMd0E2tI38x+r2H9wGCfmWiqKgxYxQlsi3cOPGP6YUoPIxUGDYNZE0NW8wLMus503jksVhRcaHoYU1U2k6KikJBh4q4VX0mPeNGu1Tk19+ZHIlrioutwvlMYERiswDT5Qm9C+ZHfDFCHEtPYLv62fys3hnNdEYsnloecdmmuaMGT0vmy0Xkl/lO5loy2IWp+ZbHzmqGuhgaUr4wKUxgs7868V7aI8/KT7QW/w0qsvOT5oxosB6ra8esaOSw+cSWdL/i9ballExhU5dQ8ivmpyzBxd79CArf5Vz5oz5l8N1oYhZksVcmE5bwgZzyZzhaw1seRgCOfawxxjd8nZTSXZ48/BUlGmMQo054CYRlyzrw5hFIAYiynAKL/I9FFaDJmZsFc3wy4dccyz4bXt8YDsF6t/BqbF03Hua7Ovk8V8Cc906SHwoiOAA2AGIAMgAwADkANwA3ADMAMwBmADAAZgAwADYANgAAABCAYBoMQQBkAG0AaQBuAAAAIhJIAEYAUABBAEoARABQAFYAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAAMwA1ADIALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD2199yeAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>

Emails

[email protected]<br>Reserve

[email protected]</b></u>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\DECRYPT-FILES.html

Ransom Note

Maze ransomware ********************************************************************************************************************* Attention! Your documents, photos, databases, and other important files have been encrypted! ********************************************************************************************************************* What is going on? Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system You can read more about this cryptosystem here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) The only way to recover (decrypt) your files is to buy decryptor with the unique private key By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data. In order to either buy the private key or make test decryption contact us via email: Main e-mail: [email protected] Reserve e-mail: [email protected] Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one Below you will see a big base64 blob, you will need to email us and copy this blob to us. you can click on it, and it will be copied into the clipboard. If you have troubles copying it, just send us the file you are currently reading, as an attachment. Base64: y7FTDf1FoDvQ4S96JjuPIpXAEY011pT13088nQHgnguwIX/5njEUXPJ7dlotM2tfz1PCsyeKf8dGkix85wkCNWG6KKUerrHJt+fWH2caaSpwf6qDyteotD//+NJqMr0TeVdR3E1GvSJM2p1ya8KMzsSdp/rjz7Wrs7DDcJkPm7gQtxJfa8B8XX4tv6GgslBjEAuo6eiXHAJ9wioQzCgqpBfu0VcZU0E3nlhgTBeBU6a2PwJQMCW906CNcVP0QGNp2uMIACjmIq8dHjGoHPtndXQAIwr+mM79AXHrgGtEpSsY/WouJNMtzEWhno4NCa0Qe4AtYmXFQxr5ZCuvSU4XR9rSWixyNtXmApzhArFb78E844IbGCbHJOPoKCjsvdBlv181WffojYvo8oeDSMG0PisihdmzacU/nSRjC12sm+1/lAblTI0HhCwEQQUM8mlBl2pQQh5KV1KGNMIqOOGy+rc57s2ZtvDBcmX8fO1AOte3dneorhcOpspS6mbCrKlZoNwQxuTWlNKu/nBesKBRaVAGHxvK+IQzbzBg8dfj24c7n1zP1V8u3JP7KabfTeScDU6VFV2eQZBWeW0I2VH/9ySI0FNPxkrWl473EIxUSLF/LASHCBRPqLNcpjTX3DPZatdGfr0tDWNZf1DBQF4W1mwLYQxuULR0Ulkk21QAEccOJZSDZgbZPkQ6hIaax+i7BkS9YRlHkqFlYWl1z84HM2auf7kVvdA9uaQCnaO8wRj0TuWhDC6EpKH9r7DxLvFiG3eJANW3StjHuPT1J8LI1Hh2JpsiVzABzT6TjQ6mZtqTmz0d+2UMfMYmGC0ZNEwC+ga9jMT/7ScuBsBNJ5V2RezHBP9fJgv3KIkFJJ65w/EDM2fatEf0f0pN+e9kXLB6AoFuQY6JyUUzq/icHfyGL47C/uUkNBbMyuR+Jju9mTxEBT+4HIhyejceKneck6JRD253Ep47y2Mmr1XAOD5H37lZzaNSP2o7TWukC+a8M8ebZeBlrWC3UIR4rP8BkHTJelE6dASGLDbiYjz0I4JETg93aXyNljZh4DOnZpbOIyo4cp6TQmih4Lnv6hwBhPsqowr8SRYOn1p4gBk6B4D48pEXaWcXXRx2+9zx39da9yxCMlVsLmCndCDzA7qv3q8qTFFqHcGmPEQiW++GE7PIr15QzNgcGIs1o0zTNnRKeke1lePxjGEJTRL+voZQGYd2mTxyJGW0Z8Pko8zCzw5vdTFWlOv8+zv3SIIzoMu9noFqHgZuVmPkLBV65t41PAbAdx9tYcYceUXzk+DVWF5iBz9TVS1uuCkjqYTervluevc0RE1nRitTXOcKfarRC1MV/jBtOtDcvLHdvykvpio55qPK0jqVy5S81ZVnRW+SonWrMFMGHQSIGS68zPXMwdtL+2FA/BWOjZb/OZ/Ar8Yu1p1AFm+CgGii3PK4NYD3jDcJIpSEIbWYIDpKj6w9HDASNHs7rTf2eRrpVMPmtZw8gQ3IF60vzDHa7tbrnHn7ACTmrGQ8AtV7OAArHm1/Y6qXouLFfjVAvpMLZsDcirU10dpZpTB2LG6PUcIZ9L6YdxVvFB6K0XgqRj7PWubWGli1bq0Wbq8plFXUqzh/zFxzEA/rW6rSzlQ/1nEZdxc/nK0BbOxtgnI8U9cM+3ey/HgCT9gVDl96H/NBFbt1omiZ480KpArn+iUR4DPuEphm0d5vngtBKkt81KTHXhukox/exVaGI3tNOK6rE+RjsRY0pKdt208mhQwVU8h10TdmLz31GFzbofMPB9ArJyAcCkOfpLRWp+k7QxdKwpXcb+azdBMd0E2tI38x+r2H9wGCfmWiqKgxYxQlsi3cOPGP6YUoPIxUGDYNZE0NW8wLMus503jksVhRcaHoYU1U2k6KikJBh4q4VX0mPeNGu1Tk19+ZHIlrioutwvlMYERiswDT5Qm9C+ZHfDFCHEtPYLv62fys3hnNdEYsnloecdmmuaMGT0vmy0Xkl/lO5loy2IWp+ZbHzmqGuhgaUr4wKUxgs7868V7aI8/KT7QW/w0qsvOT5oxosB6ra8esaOSw+cSWdL/i9ballExhU5dQ8ivmpyzBxd79CArf5Vz5oz5l8N1oYhZksVcmE5bwgZzyZzhaw1seRgCOfawxxjd8nZTSXZ48/BUlGmMQo054CYRlyzrw5hFIAYiynAKL/I9FFaDJmZsFc3wy4dccyz4bXt8YDsF6t/BqbF03Hua7Ovk8V8Cc906SHwoiOAA2AGIAMgAwADkANwA3ADMAMwBmADAAZgAwADYANgAAABCAYBoMQQBkAG0AaQBuAAAAIhJIAEYAUABBAEoARABQAFYAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAAMwA1ADIALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD2199yeAOAAQKKAQUxLjAuMg== Click here to copy function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } }

Emails

[email protected]

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ru3wp.dat	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ru3wp.dat	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
2820	msedge.exe
2820	msedge.exe
5076	msedge.exe
5076	msedge.exe
3780	identity_helper.exe
3780	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4756	wmic.exe
Token: SeSecurityPrivilege	4756	wmic.exe
Token: SeTakeOwnershipPrivilege	4756	wmic.exe
Token: SeLoadDriverPrivilege	4756	wmic.exe
Token: SeSystemProfilePrivilege	4756	wmic.exe
Token: SeSystemtimePrivilege	4756	wmic.exe
Token: SeProfSingleProcessPrivilege	4756	wmic.exe
Token: SeIncBasePriorityPrivilege	4756	wmic.exe
Token: SeCreatePagefilePrivilege	4756	wmic.exe
Token: SeBackupPrivilege	4756	wmic.exe
Token: SeRestorePrivilege	4756	wmic.exe
Token: SeShutdownPrivilege	4756	wmic.exe
Token: SeDebugPrivilege	4756	wmic.exe
Token: SeSystemEnvironmentPrivilege	4756	wmic.exe
Token: SeRemoteShutdownPrivilege	4756	wmic.exe
Token: SeUndockPrivilege	4756	wmic.exe
Token: SeManageVolumePrivilege	4756	wmic.exe
Token: 33	4756	wmic.exe
Token: 34	4756	wmic.exe
Token: 35	4756	wmic.exe
Token: 36	4756	wmic.exe
Token: SeIncreaseQuotaPrivilege	4756	wmic.exe
Token: SeSecurityPrivilege	4756	wmic.exe
Token: SeTakeOwnershipPrivilege	4756	wmic.exe
Token: SeLoadDriverPrivilege	4756	wmic.exe
Token: SeSystemProfilePrivilege	4756	wmic.exe
Token: SeSystemtimePrivilege	4756	wmic.exe
Token: SeProfSingleProcessPrivilege	4756	wmic.exe
Token: SeIncBasePriorityPrivilege	4756	wmic.exe
Token: SeCreatePagefilePrivilege	4756	wmic.exe
Token: SeBackupPrivilege	4756	wmic.exe
Token: SeRestorePrivilege	4756	wmic.exe
Token: SeShutdownPrivilege	4756	wmic.exe
Token: SeDebugPrivilege	4756	wmic.exe
Token: SeSystemEnvironmentPrivilege	4756	wmic.exe
Token: SeRemoteShutdownPrivilege	4756	wmic.exe
Token: SeUndockPrivilege	4756	wmic.exe
Token: SeManageVolumePrivilege	4756	wmic.exe
Token: 33	4756	wmic.exe
Token: 34	4756	wmic.exe
Token: 35	4756	wmic.exe
Token: 36	4756	wmic.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3892	wmic.exe
Token: SeSecurityPrivilege	3892	wmic.exe
Token: SeTakeOwnershipPrivilege	3892	wmic.exe
Token: SeLoadDriverPrivilege	3892	wmic.exe
Token: SeSystemProfilePrivilege	3892	wmic.exe
Token: SeSystemtimePrivilege	3892	wmic.exe
Token: SeProfSingleProcessPrivilege	3892	wmic.exe
Token: SeIncBasePriorityPrivilege	3892	wmic.exe
Token: SeCreatePagefilePrivilege	3892	wmic.exe
Token: SeBackupPrivilege	3892	wmic.exe
Token: SeRestorePrivilege	3892	wmic.exe
Token: SeShutdownPrivilege	3892	wmic.exe
Token: SeDebugPrivilege	3892	wmic.exe
Token: SeSystemEnvironmentPrivilege	3892	wmic.exe
Token: SeRemoteShutdownPrivilege	3892	wmic.exe
Token: SeUndockPrivilege	3892	wmic.exe
Token: SeManageVolumePrivilege	3892	wmic.exe
Token: 33	3892	wmic.exe
Token: 34	3892	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4756	3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	83
PID 3720 wrote to memory of 4756	3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	83
PID 3720 wrote to memory of 3892	3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	93
PID 3720 wrote to memory of 3892	3720	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	93
PID 5076 wrote to memory of 2492	5076	msedge.exe	98
PID 5076 wrote to memory of 2492	5076	msedge.exe	98
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2720	5076	msedge.exe	99
PID 5076 wrote to memory of 2820	5076	msedge.exe	100
PID 5076 wrote to memory of 2820	5076	msedge.exe	100
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101
PID 5076 wrote to memory of 4164	5076	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\wbem\wmic.exe
  "C:\ves\aql\..\..\Windows\va\..\system32\lnmaa\p\eqn\..\..\..\wbem\wsdx\hkx\fxkb\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\system32\wbem\wmic.exe
  "C:\f\vdimq\..\..\Windows\hqkef\k\se\..\..\..\system32\dhqg\jcbu\pov\..\..\..\wbem\qmx\bt\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4f4
1⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\DECRYPT-FILES.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x40,0x134,0x7ffc135d46f8,0x7ffc135d4708,0x7ffc135d4718
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6539852030649296555,6747721926523646870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-65040BCA-11A8.pma.PUC3o

Filesize
4.0MB

MD5
7a87f0a743f540e7a67244bf9d6e2cfb

SHA1
6dd5e57d22c1ab43de55d51c89c514fd2c982c69

SHA256
02d1670d57ae62662cfa35835a756a1b204b9bf268943e9224edb434e2fd54d1

SHA512
607538b8c164832fb729af854f968a83f37beaf4ad2c445abcca7f2e35d283a7b11503f516b3a44bc6611c4737723f367ec3a21af525c10632b3f812ed72dfb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73a802a7ef871a9d01bc020a7c282b54

SHA1
d4d7293327628f1401ac9a59cb6ce87a410a81eb

SHA256
38bafa5cc9c0a3f965f2b178681232763d55a5af5f35cf05ebe665983ae7bfd0

SHA512
d8f916c68b257f37136f980434b709e9692718a16466380115323367ff1b257ac25e20faf98c28b8a379f4bd2bbdc83097beb14d2b162fa6f3cc4881439f60f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ed225d7e431cf5273676d2296d95db0

SHA1
a35d130be5df948cb1ca2fda9a3f6be0e3596a9d

SHA256
2b6dca3a5a941ff8bd4dede9d768895f8948345f938655acc06bdc7c00e054bb

SHA512
2c25ba9b9382cf19788998a9f18acd55904f6aa21e7fd4f9d82340b7fac4144a6d514025888a33d93ea208ac4d1a5ba7293ff17c6fa51a72d5aceb346f3d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d786c976182b38818d9e29eef3523e6b

SHA1
ba9c3f66bf480b496583e13bff89170a633acfd8

SHA256
b5fd79b8c17168cefcb106464ae8d990da4ad7a88b8d8be3f2815ce7c3df8147

SHA512
a5a2c9bc602a3ffcf356af7b8e89617b9e7bafb29d20e63155c6a0f6d981d090b74d2ee8f07ad57c06e548f74fcbd4a5c3cd83845af9ab148b03766212035e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0697decc-e435-4a6a-9216-8c132cc219c7.tmp

Filesize
4KB

MD5
3a6f7088bd6846fd4a459f28b8437c34

SHA1
c3ed1b358bbbca4596114a9319b0a59d26848f67

SHA256
fa8b1ab42097b416f98003ea86e0aabac9aaa4bf017153093aa478e1817ae171

SHA512
0b3eb608471a5c027cdc5e1022ebb04b594e973545afe5a46fc72669a448da61f271a5dab590541cb1e089d8100817aab86baadfdec2fe6d2a4c1f31976b3b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
5be7fef84eed2705aee6c49126332bfb

SHA1
1fdd8d178b682c74fee9a1ae5e37237fe883c9c6

SHA256
10e6870fa4398da561085e25a2a8101f50ea22ebf1bd7c31d132d4056bc7ae39

SHA512
d66bfd4dc9694dd01719159bdd5f4ecfda5efbd3c3674a6741c52ea169d4daf89d6da837b401608477aa635148af9b1b7956c6eee3e56078855069cf8e5ac968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
1f5bf80933304a0cdcf47f63db342b8d

SHA1
3f0a4158db149007ca7884aa842047b653de6ae3

SHA256
82b66407d9cb4ff4ed993d1e45b7eefa9a7d7936411c38fb4fe27287deb812cc

SHA512
b0526656b5a238fbd1f7cd27fa7dd4b4f9b5a3fa12166edcf4ce49df5577e2f990244e80d43e6cbb34c57757c62cddf20499ff95dc6c16dd18d69f8d7fb4f18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8006493ef4525d21a54735e2096108a

SHA1
352a033db0d9ae9104bb54c13593e52304097777

SHA256
512b4d70c121c17b3aa29657f4b74dc64b35dc3d5904170d186e4b9725808e07

SHA512
d56e2c3e2638bab2707a6bd64e0465695069b10eade119b03623bb45100a0ef34d8fc7a68e0a53ea1625ae4f504bb54216a51a2db923af916e85e1f346b76a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeb87ab4aabfaa6e2a4595808bd1a461

SHA1
bbc4d8b3d1d9ccc0f6d3cfd3c589ec0a50cc6164

SHA256
a92f9251ec1eb50effc2754e2a0e20d0cc56a896ebec987b1609f1c868ff978a

SHA512
e68de1842aaa5d100af64e6b86d768b430f25a4700a7b85983c0b18d1cecb219a0ee51572b9308519e95ac809bdadd4437ef48079fc3e1a98bace0bdf2b6b5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe58f2d7.TMP

Filesize
24KB

MD5
d447296860100428a70615f23a44b443

SHA1
c8779c3e028cfd2ed4411667a8184f3548e59c97

SHA256
00825b11abaa2b20ff809f2b2044793424eb608ecd40f80226a04f81b7c889ac

SHA512
81fa5e637794fefab67d86570a77a2f9126b6fe915d6204822c8d330a3daed9561dcac9830e293e230e7605b42c5aede8e7c6fbce7abb0b3daf8c0342f36eade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\b2f0b355-8076-4829-a2d8-17299657d57f.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a73c8821-1265-4bc7-9a68-8e4e9f71003d.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\5fb5bef3-db99-48b6-b6fc-5c9f779b274e\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e23f7579575cbeace366eeacfea3005

SHA1
9aa20077f511162594e4d2befabc8e8abbec9af0

SHA256
ae7134531b28d7be13de83c898deb73f3125f412ebb6f76968f027917c3b0d68

SHA512
81359175e91064597db57c2f82b70048184c3e564dccd3fc68c92b4095791ecde28677bc2fd3dd757afe421cf97af82c8318ea3ee269368b1b19f405c1e04b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe590853.TMP

Filesize
10KB

MD5
16f9ad4f6b1b6cac38ae1bb447408055

SHA1
e2d583126fddeb9733156133cd20542caf9f63bf

SHA256
e7191ccad611cd01e553015bcbab2935625151ab898ab153c9e1197c3a102616

SHA512
f23f1b42e83ad6c5ad5610245976d6b7f03597c076261d08ff3a3f52d8f1fe5c23a85a2297bd69d9d1f157e82e77047959f563d7982feb94928134c6943923a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_4B99355199DD44CF9239A558EA6C0927.dat

Filesize
940B

MD5
80a153ec87e75817f3cfb80d4fe2de51

SHA1
f961782592baf2896a07f341ad3c06ec73145c05

SHA256
422641b1061b12cdeaf12e6802581bf74a21a5d8478dc5e0701bd8690a4719d7

SHA512
fd702afe079c619334e1dca5fe1a9e7972ac1296387199f649cb980cfec099c3fc9f469bb74cc5b9f367132985a1dfdbfad7438760fe249a0955c31a4910b3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\Users\Admin\Desktop\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
C:\odt\DECRYPT-FILES.html

Filesize
6KB

MD5
88a179df9744f3868a112b3ef1d98135

SHA1
69cde2052efc33e1495c1216c9ebf466d26985e6

SHA256
5c4e5b71f153c87925df59b829da40aa948e30271890cb4a70abfb8ebc2f3f28

SHA512
d49da1feaddd5901ab0ec47114a48108d607758e14c36be633217b79cf30643d942aabef34b26f0c36e09c9c31fdaecb29ea0a424413bd0af8590d73a7a6f1bb

Download Submit
memory/3720-11-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download
memory/3720-5048-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download
memory/3720-1-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download
memory/3720-0-0x00000000025D0000-0x0000000002629000-memory.dmp

Filesize
356KB

Download
memory/3720-10-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download
memory/3720-6-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download
memory/3720-15-0x0000000002770000-0x00000000027CB000-memory.dmp

Filesize
364KB

Download