hxxps://github[.]com/kh4sh3i/Ransomware-Samples

max time kernel
61s
max time network
62s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-01-2025 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
39	raw.githubusercontent.com
66	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e222342f-0bec-4a3e-b058-6e377bc6de6e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250111114035.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
3940	msedge.exe
3940	msedge.exe
4112	identity_helper.exe
4112	identity_helper.exe
4608	msedge.exe
4608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3032	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2456	3940	msedge.exe	83
PID 3940 wrote to memory of 2456	3940	msedge.exe	83
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4652	3940	msedge.exe	84
PID 3940 wrote to memory of 4816	3940	msedge.exe	85
PID 3940 wrote to memory of 4816	3940	msedge.exe	85
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86
PID 3940 wrote to memory of 4244	3940	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff742046f8,0x7fff74204708,0x7fff74204718
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x258,0x7ff601295460,0x7ff601295470,0x7ff601295480
    3⤵
    PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6142374163773624616,3725248044908353147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4744

C:\Users\Admin\Downloads\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
"C:\Users\Admin\Downloads\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
3d6ea26b9d3057a8736bc0b6fc52999e

SHA1
744a8061940afcf62c2d7a6678bffe16c50baa9b

SHA256
a17a04f3ecb0640d726234c20c9dd7af426dfef97914008bccf3dc468a4a7efb

SHA512
58938aac88f607c8163a7955bcf3eff0c43b12d7601a4d09bfa84e3d90cae79b801f562792536e3e250b5b31f2a34febd0fb8964ef0adb1349f4de256e2eac57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
967ab52b656780e5d6ea4bdb58d987ac

SHA1
5d4e3e1c062a6a29508909cff70d555afe58ca31

SHA256
e3d930520a8c062afa08a167959abf49a7ee03e5385e017363e378c75e0af78d

SHA512
cdd48247ab228f577c7f69aca03b5b3bc5b3bcc6368919b6d351df875f367629e42ef83dc53b06f235c6cdb4ed80fbed10617cf55f4b3b292f37e7195550efee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff5e1e49c10c36cf6fc2925551913f3d

SHA1
0db5f87f973c28c28717b19a1fda769a32ef87a4

SHA256
580b60986fade0c65ffe4a29de1029211eb8d88595ebbec659b1460c4e707b34

SHA512
9ded6e35af9b95919fba3796ec81cd5b99db9cf3383c9bc62a08531037ec8e40124bd61e86a340ca3f3457414a2102a780b0e17e5cc29f602fa5c31f4230fd70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3e494238b64bd6314ae2411c5ffa358

SHA1
40220133679085a8c9b318ead695822574bb0945

SHA256
09b8fb403a0d94959bbf184509f13b7dd88824d57dd831c665726396dbd358e9

SHA512
6706d4795ca7fea7f4bf22409df46abc1e4afee66a7a1e8fd72ba02b989c073b98cd58e5afc9d7ce90056cd389d0e29e01b7e61f7104fd4f1ccd032dbc41e8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
141b2faa9a211632929fa2c706128bfe

SHA1
886a5a7e981eefbcc52f590c2a26ec6aa29991d9

SHA256
3835718276a933dee9adec110069b3afed5b0d8b685fd59db1f43a4f256f6dd1

SHA512
1282f0e958c10921dcaafee3e9bf2c6ab1a40ad219f87fda17d7f46b7be05b61909885acdc40ac73910dc20b69f48396afee1baa65d8f904c23be928c92e2d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d41751b64fae524a4f685c0fc3fa93d1

SHA1
0b6de452fd8305cbe14e0cdd3ae27a7d21bae4c2

SHA256
c5e24838a2afceef4ae57340a3f2a7e2eecf0300345e7621bf1ec1127f0df1fc

SHA512
73dbeb2f13f4461c0aa0226c9a76aada364468bbc6b40263cd54b03c289b47bd6b132d1d3fa49274566b211ee7849974c53c1b7c9a98eeeb98321b8c57994cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5fe018.TMP

Filesize
1KB

MD5
778eb9b875326e2188f66988946ea80c

SHA1
8149d9498f6f15f4c0ce4e7019981e9b155a7b10

SHA256
cd83076a541018e7df47371c15d15cd1014e58097f241473b6b3f7e7758ec381

SHA512
dcd59556dda669fa150c84b02802f0c7bd7e1db5a71d9d92509d2893e085795a25b0c44404caed91092a742005f3804afc31cacc279eed7fa300d90b91f89b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7cb0b68a6cbd26bb2fe9a375e61e6847

SHA1
187d22a139a84d3827402f83cb9cb01556e3be96

SHA256
a23530b51983a7f3304741edbc838d2472837193a1a1ae336401b839528e398d

SHA512
aa0689d65845a18fb98fd04c51ea12d1eacdbda3469cbfb53c094393d74b33d1830d189c1761a2710bd414ab6c4011b50705cc73aa34f3a440ea3c96de2f3d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
019b61581c64ac52b9f8b77c9ad0602b

SHA1
27e473dff1acae37be2e00a392e6a3a67e2595ca

SHA256
744f464043802b3da67b28a1b7ffa1e858af3d50635e1d23f863a86a9a201d94

SHA512
91f762fa9f15d0c9000cd9724cf8abfd66e53bbd33324ad9855da2ed47a37a5990410074fcfc3327093b741f086f9470e964263a28aca59d7bc7f11602bc5126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
38b5f75abac6981e3bec5af1682f6f49

SHA1
4125909f6cb7be57802709bec14d444f91dbf2f4

SHA256
bd240172a9ab2a5384209c8259619311825dcc484d856e3a719afad9c6d982f7

SHA512
297323a061cc7424bacdcc84d2988c9e1185f6d1705e8663fdbdf53bb817e138fe7784bab81b5a9a6f6922885ea1fbd9c97241868d0be4d2d4516bda13f0c19c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
814508c0c0689cb7fa8a4e349ae88214

SHA1
c0a40ac4e8fb1121d719517341e0ef441f066445

SHA256
510df383e24778eaf33896281a30bfa84bf11e8f53750d3cfe68a9abb8192633

SHA512
fac6b088400b4a4a8b140800e25509e3cddf822d7cb11f38b2c3252b81605d0850f28ea47a9397c7c729f26aee5a73e5fa7e3bb8a70ee4cc7654e978cfb4555b

Download Submit
C:\Users\Admin\Downloads\Ransomware.Petya.zip

Filesize
538KB

MD5
e8fb95ebb7e0db4c68a32947a74b5ff9

SHA1
6f93f85342aa3ea7dcbe69cfb55d48e5027b296c

SHA256
33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9

SHA512
a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320

Download Submit