hxxps://github[.]com/kh4sh3i/Ransomware-Samples

max time kernel
54s
max time network
55s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-01-2025 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com
69	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250111000940.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\651448e1-3f80-43f9-a111-257053c68172.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4976	msedge.exe
4976	msedge.exe
928	identity_helper.exe
928	identity_helper.exe
4336	msedge.exe
4336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 868	4976	msedge.exe	81
PID 4976 wrote to memory of 868	4976	msedge.exe	81
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4700	4976	msedge.exe	82
PID 4976 wrote to memory of 4572	4976	msedge.exe	83
PID 4976 wrote to memory of 4572	4976	msedge.exe	83
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84
PID 4976 wrote to memory of 2512	4976	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd72ff46f8,0x7ffd72ff4708,0x7ffd72ff4718
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff66cc75460,0x7ff66cc75470,0x7ff66cc75480
    3⤵
    PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14137964740473333012,18312166242410008461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\410c4532-1090-425e-8923-c7b4d1223df0.tmp

Filesize
1KB

MD5
ed7823db5f769a8fc6b62febe62b8827

SHA1
2a5f0f70b73ef472a7349ede5eb7ed3cc47901a0

SHA256
8e2557337381bf4160095fa8e6f84e10330cdf2e72c17c85920c0a3e7a04162e

SHA512
059f5cb5e14b4bda28832c181424e26edb89c7ea8421f611433b6f18346141509b61175dd6ef0f71de74e5e6ca4895a2e518c096a84430ba96537db7e876740c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6c8160003aeee316250b3a82bedafaf5

SHA1
3b5e2c3138d9a88bc6b41d13f3d187a36016cada

SHA256
d49e8fbe6b8e386b35d55b71eb07e59300a2f6ec322bc2099eb714a679280bca

SHA512
bb59d92f158e93ddd1b25bbdecca43e14211b0137718cba136249515a38c0b1a4dfa0459e75d115e24c9d574185da9dce2c5fa34aebf9bc286417361ed18e66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d1f154aa4f281b2c77d225cb6472a6d7

SHA1
2339f4695a02b480d8fe03907cfa6d754b8fcf91

SHA256
2db792668108d04291fea4d38ad57ded661d5ce9d99b70f53692c77cee74f2fe

SHA512
e0b0a2c97bfadfcc81e6d62baff5de353cf0a7af8078246bad65dae6b6189d6f1ffeec5f64888506cc28d986834b323d3a6e517d31b75358acbd304548dea868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95302bd004e44619a43675bcc017c4fd

SHA1
871300c0f407d76b7e053aa18143181cca42bf87

SHA256
c4547b3395663f67e03326eec90781e7e3cf60bdd55650b51b3854c7f7fa591c

SHA512
cca8bdfeb178917fa28c07a135fd026e6c5fe4da93ca6050fb71dc9ef60ca577cbf8a2afe330cc153dee1a6fd18167c5737e5c1120cf8e89ad759eafdc25e949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41ddc685abb4fed1992f4b74df368f0f

SHA1
1784ac5f35cbcd38d6e4f3abcb2a53dae5159e03

SHA256
c39b032af088144b48e32d7d1db80ebc47d3bb8afd333e6b067be20163ea58ec

SHA512
a359e4bd967a2f8c2c4c386062ad896f4adce60adc2f6c67a37c596d7a8b6319f8541ad1d0af83f88fe8bc74c4d6870b0277b33f898f7ce5f816dc38d60d4b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6b9866d007353fae504368e9cf6d072

SHA1
c9a7478de17da843bb8c2fa7d0315d6608955b6b

SHA256
044cea1cafd67fadf4e34254be5d04e550ef4cf0608ed68d7db5c390b85c8537

SHA512
340729a0306c46dc0953197489f9a78b2667cd7c1b13a27b36680ed9595a213180ec61ce57d7ab88ac675815508fdd7307b477d9f09820a2ff5720d9465f0ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f26dc384cb1656278a67c9908d1752f5

SHA1
c14ba4a84416a9c98ebe01181eeb99ae404adab5

SHA256
e35b4d78079c264b1b4458d31586fadf28ae02a9a30b413dbcdbfb1dd30ee9ac

SHA512
4a0d8a44ee9c60311c09eed8e61121313b90d4e0048cb4f80093e941a50a10a44743ef94892af145be0ab2797c557be3727a5509b1dd174d2133f37b82ba8eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd9467346f71075cc34b3b1b903648e1

SHA1
f4b25a5c1111d8314549f5c86cdde92a6342a183

SHA256
6291f4c3a7bfa4eb459f099e2aea2d7917c53aa023433e1688d99fbc13e90587

SHA512
907bd09b6533fc1518bfd07bdb16ae08e1a2e9d75face57bf8782d8f7f43f07a7cd84a4ed38aee6f54723697a132d8eefec3b69bd04cfda33bab6b49e691d693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e261.TMP

Filesize
1KB

MD5
3c687f946d40a62da6dd9402501a4c08

SHA1
f32011a76f7b74a89b58161c715bc71e6d0ec153

SHA256
a64ee4f0fdad5a26832d002dc7296dbd6dd4006cf75e823717374ecccfb3158b

SHA512
d6cdb4f381b1543a6d514dcea3ddfaf2008b862dedfd9b452be48c6b917dccc48b98bbc7d20fdaf061645e14c4ab18d503c9769b5231d95674a36ae24f462ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
21c073ea9920b9624eac37773d76648c

SHA1
52de32079c6683e3b1f796920d6cba5504eb7722

SHA256
b575de3da2d901b7d8f98855556ed223a43b7cbb01e0570863f7ddac2443f3b3

SHA512
e12c6fb7c2a5fc5929ca6d07559464000fdf294307d95955faa0ecfb6cb4a0367ee9f51ec6f6b6cdc210ddd8d52b624debbe4f6daa7beef93adf8dc71f7d7caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9931a7915af05b18f23e51280a91b708

SHA1
969794ab63c9ad6ad27f52ac6f485e580b67a591

SHA256
099a349219b6149eb23885738bd843d6cff92ffde1223f46ccee0c93fba9df76

SHA512
e0ecc610f7ab7621699596d5163d594bf9c99f1e257e52a9620e0902fd47274ff3f426df0a8fd81ae5a8a5cb60cc0243241d5a5dd192aab950a4dbeeeb8f39cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a70a4355270f78894469df2802e556cd

SHA1
884e234dbd8c2d67459e33320cf837b0e453a59e

SHA256
a661bd1102bf4f0dbafc5ef4ccd5b98a326306a6f5aad6c20a43a2be6c771004

SHA512
55321758a9dd3bae0fb5c0cd90b826a229ad8be2957d332024a09d53f629de4f09d0fe7fe96845306b0cdf6695dfa019fb498e468fb992f2a870cb08cda6f7f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3012c970bb8dc4d0a497d0a2f8e4c843

SHA1
d7f1d17dc8a27587eebd35ec82d3db5b4a73961e

SHA256
a0651415cc804039c8e83b986f3c1c8b5389db55427b8dab465e01f83417c3bc

SHA512
bcca67b3f20520c95bfe01c37c121667d458fa2efd9a76c8f1c21e6fb648e77fff2a7dfe076984c6250f64d70057a272b46534c849f80b74820d8a079a4fcfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
57d0d4cd79f79447fcdb35cdcbcbe206

SHA1
a368c4a63e2d10b0b5c3ef898355f870241687ed

SHA256
87c8e1a1ede63e29f1b1d2094af4b6030da98af77564f94399bd1b1f47e8fa35

SHA512
8f86566dd7abd9ad73866584583fbffd8f5c4d598084a6e479f8f0399cd8f0a630e3b1113d41e48aec77acb2d6627a7273a614da7f0790dea04c42bf35e3d573

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit