hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

15-09-2024 17:48

240915-wdv7tavfnh 6

15-09-2024 17:45

240915-wb81wsverh 10

Analysis

max time kernel
960s
max time network
965s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
21	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware-Samples-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3920	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4112	msedge.exe
4112	msedge.exe
1244	msedge.exe
1244	msedge.exe
3732	identity_helper.exe
3732	identity_helper.exe
688	msedge.exe
688	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3920	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe
3920	vlc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
2036	OpenWith.exe
3920	vlc.exe
1020	131.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 3924	4112	msedge.exe	78
PID 4112 wrote to memory of 3924	4112	msedge.exe	78
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 1520	4112	msedge.exe	79
PID 4112 wrote to memory of 4624	4112	msedge.exe	80
PID 4112 wrote to memory of 4624	4112	msedge.exe	80
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81
PID 4112 wrote to memory of 3988	4112	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa17163cb8,0x7ffa17163cc8,0x7ffa17163cd8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2829755745657611262,1565586397166212461,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2036
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3920

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3f57ecf4-a3e4-4312-adf6-e53056a8e95b.tmp

Filesize
1KB

MD5
a8b5ee2225b3329a86f163d63bba3052

SHA1
9fbd5679e08b4250e0542e9d07f93a9f7173a3af

SHA256
8b805657daf0f4f6f3cd362dcbf72fe8899d78730a2db186f4dc77cbb8330ba2

SHA512
ee8c90ef157ecdaca8d87846093b596748dc35573ab1b68085dc303294c42f66b99dc335a565b4606a4521dffbc67370375c38ff541424c5b1138a2b0e5809c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e55822c222e5fb33c14adcc2b71dd0a7

SHA1
e64dfe133c741a778b9a97ec76957a029206b9cd

SHA256
34599a993f847a54eebf4e11f9bbd42f23021ff6f304e1db1622cbadf301a301

SHA512
f3ad8c52f9b54072183ac9c32c80b68b51dd82fe8321cfa8b7c180d83feef08aad2b194b75995f75420cd71043532f1c0116a4416ae5769816c65fdc346ae9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
656B

MD5
c2ef7501908bd85085bc5510e696d779

SHA1
d27275e2f26d3b15d0e6f50188eafebe9811ad79

SHA256
afb5299c3b69d23b4ba8862855271759022be4d6d638157b9e47ee1498f8bd9b

SHA512
57981b923c81b624bd4e6121fde52b499cc4978beb68f4575589166d8fee1cf7fac4c3eb26ad93ae258fbc0fba34da92ddaf4eb3f356262421b515c53c768bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d6bcc3c3655bc10cc950c45fe0185a5

SHA1
1ff0823cb24691036baeccffc9b7b81ac2beb674

SHA256
58fa7fa66c6d32563934acd0c3b5ba09658b01a5e620a807bebfc939cc70437a

SHA512
f95428c44bd517b366d2f3272f3121eb25f0b6a4921a1c322f740043e1711b90c23231577ddce4ca5c5c66daee75d74a423cb3b3f06480f690d906ad588135c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c250a5245f2f2dbf49175fb224bf018

SHA1
69a4596c4f5da5ae00fcb66a9765cec6cffb55df

SHA256
a985a107f0d8faf59cefff767744d44139f3640a966e80d5fc4944230a2439e5

SHA512
66b9eae7463f1bec3d5dda757f46890f67c0301e4d5aef5e38f1fa56d2493dc47a0aa6f227b920159493a5ba6395f2e2200777e202b88f98d876c1e54171c951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ca3cd73584ce371a1e7fdd97e581a05

SHA1
8c7e89e12c13e235f479d35d5331f17e8db180c5

SHA256
8e864473db5cff025dc04feefb27a66aeb432b84068a19564abc3bc6865d9356

SHA512
09f144ea61cb0bbb574d01b9cc845b862f59f08cd70e2796514f31f208b44584d21f5615a5923b1f7f0a22114841bed1ff28a9783c35cfae1b20e0ed707328c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bbc9.TMP

Filesize
1KB

MD5
175a506c3966432dfc627b18a35b56e9

SHA1
bb3f68f0ed5225d9776174da482cbe6ec5c41820

SHA256
69bf5dc9d3efed8665d10878c91e7c8f706ce55c03dba18ce68efa3078796100

SHA512
748bd161cd7c93ac787691af43a059818aa47874469fa2d1e395c863ac72cf006214d432ac0a628094b58b9c86b980597cd43b0595530d197fb3c48e132cb7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2939960d6539997401dba6574d86fc47

SHA1
2d3f91fbc2641c413ff505e63d74260939aa78c6

SHA256
f3796b98b4d33d7141ff84e3c9376e7d0573df30192bf259c0a34ae378443096

SHA512
5c63e1c22040f448c0315f4bc4e2d830622425ae0de7b634bcc209f1fe086a81ea9f89b0adf3ec5bf142ff5e95643bb9599c15f150f0de3bb7d78733cb986d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2c0fcc6d2e0bf5a620635b7f82170a3

SHA1
88375cdcc35b5df91262628c3bb8989bed594d46

SHA256
0b370edf2267f8c199737b9b5d6a36a45b665848af6bdc9ff9fa5c258cacdd96

SHA512
4852e9d490d3fcb835887ed9721b5b90ae2ca7ed3b134bd99106b7fd48fb521ae1935f19e0bb50aaf1e2a6c3f35cad36a1356be15d50042451fecddce3c61580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0549ea21c6b18dd8c693e2f853246b17

SHA1
c5b49ebf9152b19ba7fd0ce35d0357f706620759

SHA256
e5f5796a6f618ebb21b601425f1777b22bee662dabe31626927ca23748d85809

SHA512
f479267a563c9fb305951642285b860df3e6632beca38a69a99b789dac2140f6d8ca7bb903d208f6f1c59be9ed5cf090749435e99b552c74edf5ed6aeb0c8b48

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
107B

MD5
9ef5c56ebd44640ddb780cb8271b0b74

SHA1
d3a529f411ef2bb8b48e6d418f2396ad8f8938f4

SHA256
6388cd142b88dcb175315ecaebb1644baa3b2fdfa12ad26fe9db9f051af5e1f8

SHA512
04864592e7071f586a83dbf9f7866de2e332ba6887b1b5da0b258da9297b1fcfb6e4d95e7e3bb69f417140eef944ae28d013d405139d8b8a8fc86474c8084ca0

Download Submit
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 947185.crdownload

Filesize
15.1MB

MD5
e88a0140466c45348c7b482bb3e103df

SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1

SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

Download Submit
memory/3920-267-0x00007FF704230000-0x00007FF704328000-memory.dmp

Filesize
992KB

Download
memory/3920-268-0x00007FFA16040000-0x00007FFA16074000-memory.dmp

Filesize
208KB

Download
memory/3920-269-0x00007FFA03CA0000-0x00007FFA03F56000-memory.dmp

Filesize
2.7MB

Download
memory/3920-270-0x000002B36A8A0000-0x000002B36B950000-memory.dmp

Filesize
16.7MB

Download