akira | hxxps://bazaar[.]abuse[.]ch/sample/20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19/

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19/

Score

10^/10

akira discovery execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1599119623-YTQNL 3. Use this code - 4616-JY-MWKD-YTQJ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/1599119623-YTQNL

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2488	powershell.exe	118

Renames multiple (8427) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
1472	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Executes dropped EXE 1 IoCs

pid	Process
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Users\Public\desktop.ini	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-black.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\15.jpg	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ms.json	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.7a43ec75.pri	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-48.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-400.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-125.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-150.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\PREVIEW.GIF	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fa.pak	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\akira_readme.txt	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-100.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
1184	msedge.exe
1184	msedge.exe
3504	identity_helper.exe
3504	identity_helper.exe
3576	msedge.exe
3576	msedge.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
1472	powershell.exe
1472	powershell.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
720	20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2432	7zG.exe
Token: 35	2432	7zG.exe
Token: SeSecurityPrivilege	2432	7zG.exe
Token: SeSecurityPrivilege	2432	7zG.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
2432	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5056	1184	msedge.exe	83
PID 1184 wrote to memory of 5056	1184	msedge.exe	83
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 4928	1184	msedge.exe	84
PID 1184 wrote to memory of 756	1184	msedge.exe	85
PID 1184 wrote to memory of 756	1184	msedge.exe	85
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86
PID 1184 wrote to memory of 760	1184	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bazaar.abuse.ch/sample/20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82f4e46f8,0x7ff82f4e4708,0x7ff82f4e4718
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11339736917814786337,595103121147901074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\" -ad -an -ai#7zMap21072:190:7zEvent28739
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2432

C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe
"C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\Log-31-01-2025-04-53-28.txt
1⤵
PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\akira_readme.txt

Filesize
2KB

MD5
89a805333f18b10a6ed9ece3e3163d4c

SHA1
9b6cebe4f73b321af8fa98d0dda70fc74d34fb8a

SHA256
1a9ffdf69f6e7d062a20f523083a591ee21cfd827813609b7b9135ee8f408364

SHA512
42c4fb1906b35011b1dbefbd6d0faba734b3ab3dfc653404c7ddaefbf5ad01acc5fbe3b3b12cb556c8c47cb6e573fa14aa198acad88f7a2e305e047256bae51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c2f2e9a5bc1ef300d3e1528d1c4f094f

SHA1
89ef52f7c835501b73952946584e7cfd82ccc0e4

SHA256
acfe7543e3562620b02ce62004b640201ae9a0a221f273ce3f6ee777246384fc

SHA512
2a01e95b8409b8ca8e488175233c2401fe386d42fc2bd59af77a75be2beed781bb15c82b073349ba6a102f275495df065013647608257b64c4ca640d69e87275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a53cceb7a396402c1eccd08dbe38a73

SHA1
96e06029b79791df1b1a0a7cef7508a5c44d13c4

SHA256
31c8ba2ce8a088515e4feff78968e8916c759331b7428421a990cc349a208b51

SHA512
bda381d092d0272a19350a66533ec0fac2efccfd26fc87695a8270eb3d4abec01483b31dfae75ba3f128623454d471c9e948c44df478edbdb6b5a15377637036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a451e41e51facc395053e7b74c3490d0

SHA1
c866ac24af529f0265e99bd88529da46c9ff6dcc

SHA256
cc33bfdf9c856a2e9e9aa8eeddf9723a0396fad82b0dcae7a408bb4c84fdb584

SHA512
553489450d55d7adb9c859e521d0e46961490e54c533c826adc8c546ca0b51ecda82c159801bd060a291e724355c6d4fd2ee603ff65d4a15603f34f1472664fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
845cb3a6d325a86572209dcd29a1504e

SHA1
f1e7a5416762f83d8133f98cf23df488064b516e

SHA256
b022cbb6507b7f6fa3db10d07786ccbafbc2a11a68ec13d9afe1e3f37be3e73e

SHA512
487245a0343ad4c59c70620d28449780e82fcd1f89986f901ab8fece105477d1ea1617bef176a2ec0ccc2e096ecd65d8fc6205280911ed98005664e2c9692557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e142e6654f1ce7477943b3f06d38d648

SHA1
d02ad2600b784ffdcd3caa827eac6385172eac2d

SHA256
681fd61ddb3a3f11261d7f308a52df06a9d6da8356dc94b88a6b4f4366e5923b

SHA512
00c0757d324c07fe0e5dc25c8b6206eeed83beaba858faa576e0d6c1f8de6cfdd06a6fcdd2e3095317cee7870a353c55fe16aaedb693a40e21abba18d1ab79e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
68c848cfb57d50d7f72425c31529e1ed

SHA1
2ec738770a86e3bdd295ce8785d78697e5b47c4e

SHA256
4d6bada1498056b65b2b53ceaae8a192dab90273735ae1a93ca92ace11ef293a

SHA512
b348559da2757390c0049bac5ee169475406ec230276b197d0e5f33bcab36829de074618c962c2836cd7f80e8e7b42d74ec9754f21daee126775a940cdfb741e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
300f13ec646973b1b98be5f479d32469

SHA1
ef549bc61792675640da49f6f4e1142b7d837add

SHA256
51dc28977ebc465bfd54493671b009db334e1c3e169a0849b9ffd869621bf7a8

SHA512
0be7413ce55e094c4d71f3bb042f992dcddeec4a1ff5ede7157dba9904eeedc641e85a5c4417743368790600ddedb2757e0b1ee248ea2fa53889a794351b9861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
23KB

MD5
c51c107a4b1e896976bb627ac05ccbad

SHA1
744d88fed6ececd316374ff7dccbd6e0976f86b8

SHA256
a281162fdfcb7652817f2976fe41c28b54c322944351c5749c5e97c6e163ed8a

SHA512
2b210ffaa19699a7b53fc440a8449ef09e1bb07c3efce751b27d85ed9894ae0a280c0dcc689526ec3bf77435d95bd65fe267a4b3762cac9e6d8b5e14e5c399b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
30KB

MD5
8fc152baf3b5a1574acb085984c7f55f

SHA1
ee161e569108bbfecbdec721d6d7715665e1a56d

SHA256
13ff9f418f5aab7944881423fa84c62947eb81c549a529d0557746e48ffb81b3

SHA512
aa5d5f5ead812c0bf733b0afdabd049dff6ee6bf6b60eff6bb7c0f285044e50972f95ebd2c2464fe5d514f06e07dae0834fa0800dfb8fad77e8d0f03e0d3ef6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
78KB

MD5
a959932b38c53b8bf0fcc0c6cfa8e2e4

SHA1
b45c18c73fcf1bd8dcc4fb0d3e3ae516afac10d8

SHA256
b9d141aad070142723b4692f91a92e12884eea42f2d805c01d1f46ed5ed8b0ff

SHA512
feb8eebf74335f5c733e3a1ab1cf140975b161a99d3f605642c26b2044e20c33d0b62688a84866d48c0bade7d457b37c283b094e1154c6dc7c17223d05b375d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
48KB

MD5
ce87c917a2961105c45a185521d6eda6

SHA1
d71813e5325dafd2aa2538dc75d4765c51ea92cf

SHA256
048d53e2849acc54c27ab87dda7ff6690083b2dc3caef679351cb75a9cafb842

SHA512
e82c8a2094b2b934b3f1cb0502180defdce34cf0aafd14e396bc7f708d82c7f2fd2b7335ba33c4a10fe1166886d245efa096dd81215d43a5984d15263112b5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
105KB

MD5
7155e03b845e010814a88ae2a472bff4

SHA1
a8f71935b8ad74826645dfbed835d2480ff67735

SHA256
1581f5db14c8b75479dd74b38ddf7a8f67d7178c606ae1a31b47e22a88e3d997

SHA512
4ed4e783d490742f43fea0933f5d9df69eb0dca0727703c85316b203718137a1dbf46eccd7ef00a689f35d8de603d931d7298ce8c42f6f526d492081491adb8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
100KB

MD5
a3d101437a1bd873c1010eb8249add3b

SHA1
e0a205a2179b42d18b63f3938023d268def3fdc3

SHA256
5cb7eeb318275984e373aeacf13da3086769959d1e176265f553db8d05ce257a

SHA512
3e06375a9f6348afc7f06b785c04573aa002e0ac20b652fa7c453d269a59f7dc084f7a4213380a21fb1a88e5d952fc253ed2c56b1830693743c3993ed2bc81c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
316KB

MD5
09ab99056644bd7bc53ffca016ca56b5

SHA1
d620d886097aa316dd70a9d93d5c8c8acd2cdf62

SHA256
2eda3f6e552f3d4845f753137fbe147d8bece45bf61f639da50155f93cd1dfac

SHA512
718f2d785cd9af7e7f29e607cb00483997acf8b62bc082b932cc67c29a3074dd843f7c58527c0ec8bdbbad94dd7d9c11525b07fa254656b817e283fd3b01b7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
27KB

MD5
855112e12f691b399ff7d443d15e6581

SHA1
16458123de100d2ed24c47a99ede3bdfaf5c3c38

SHA256
42e7cc645229eee0de7bd83628d02ae64d7dff24d3b9a5cd6d729a8c0d04a9c5

SHA512
a05c86a0b5db4d75178caa6a3f555330ea889da6173e86ee42567b8cab04d82208e1a3f1977b3ea98e4b01a59f3c5a9ed01ff426323523765d3685d6285d781b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
39KB

MD5
4b123afef617470592ff690ee43e55f6

SHA1
5c658563d8be6010878b9b59f65a3d256f282494

SHA256
77506bd9246ba96d8b4547a5ef7312a6b1bb01028f26da8894b1d35cae27f563

SHA512
cec52dfcb6e8cfd9030dd99e4a40578feb51227692b094d6bfe4874cc5f46490dcb94099146164249c04cba1f86ea4e8c9f825f7d59317bcb622f52131e9ea5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\02aecf8da6f8f2af_0

Filesize
47KB

MD5
0e10b72bad0bce2c0334e4fe84ad3a41

SHA1
6b9cbf51377b71beaa19f9024c5d43daedcfca7a

SHA256
26e6afe7e0019bced0b31a448808943799415260e2a5f168d077a9ad62dcbfa9

SHA512
cd579b2552293ed6627c5bddf3551e8380975a8ef001db86973a131b98a70261145e9e80b779c33c50075f3dc7ae6df931d266543e2840ae8c1a9ac96b2c7ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1d6f86f8bd95fd1d_0

Filesize
713B

MD5
ecdea87a83968e6510ba3f991c646836

SHA1
1c5fae8c5e1b03a448e0e57e822f1c959ea90751

SHA256
97848613597bb8150dbb1d32768d18743b3a1a10459c6a80f6e24a31b6014d2f

SHA512
cbc7268187c638e19ff46271274f357bb6866cfeba9a77981195d506416d78ee51a26346a7663e8b818b407f4d6a2d65db12652ffcf644695dda65996ebf83e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1f471217abc11b94_0

Filesize
466KB

MD5
409291a24bd01cabb5dcaefac403a092

SHA1
f2ea8aefed5dd50d3bf75900f99a5630fce34672

SHA256
b7a39187f8bf51c20f3660097c47cef5d3905d37ef3d249fb5aa5b75b429efab

SHA512
14b44b4387bb7d368e3b1cf755255ea524744678a10a213c0a198ddf7fb68d118d7291c1ef00998d07788ae27e42cc1b0e799d55c684881e47c3faa9d61c1b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\24a37706d3ab219b_0

Filesize
761B

MD5
6b42ae76c80ee111b687b24ed105086f

SHA1
87d4dbfee768016b00a535bd5ea7279e1040686f

SHA256
21af1145b502a7c97887fb13aaf0f37cfee6098062bc73178ee9cb4a06087d78

SHA512
a242b03e9d022191326cebede16e013452e338a46be05d9d600f18f8cfbc5c0b5c119f3592bf6316d04835dc8f58c13e1a08719b344f5c5a706f94c7f6942f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\33f25eb1d20aa883_0

Filesize
795B

MD5
85f7fee096855493dd1c54abc9767fb0

SHA1
26d3211306f35138afadeaef6dbc3c9375c4b00a

SHA256
f4aafc53410d56bb31a6157e397c9d2fdd0868ac5bc75ee79855680ef759afde

SHA512
26a88d8898626b00a2a2f7751e557efcf929ba66dc37ef93a753b66519599acb40443d03b42ac2cf78b0056bec745b9f2e41579396b51b923600f749c71e4186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\41a4ebffd069515d_0

Filesize
771B

MD5
8c785403c99bac6ec45109998a409693

SHA1
10f47c35d4936e45db66c16e6f60d7ef0ed845cf

SHA256
9a71a84a392992a47d1aa2d4928d049570921067153bc5fbcc03c03ee3f44746

SHA512
19de9b4e4e203385484e7e19c2e98c6aadbad24d616ff9cb39c0ed1e183a7c3ca5c0c5bb2e5c5ea2e84c20210509c83bafc248044e0bbaa1e7a4f6f454935151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6212cf39e7d43f65_0

Filesize
107KB

MD5
51b80bd71e1cdc61e16570ad3bcaca85

SHA1
5e1b8c484fe85d241eb63577a2242e18082f4282

SHA256
60c246d6bc7e539db82788b1e31679925c4f2394bbc0b00a8a8d662f87860d46

SHA512
2b36f21bccea5afc445f12d605f9244d7ba8f98a76ddea6e23253414e6e3a62a4960daab44575df6d165cd54215ff9893b1ea24517e7f5ec7918b68c4b2c4c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\64d97b09dba174fc_0

Filesize
710B

MD5
4e464bf830095a2a3a40c85a9ee00f8d

SHA1
4cb6ea33a0fe03474ce64d4adff43e898638cc6f

SHA256
52444117108b029dc6c8ca8d852885173471600ccdcb0846ff3bef1ff0fd1690

SHA512
41d0985b69e432c0471dc0042a5ac67b71158ceed8c48a74c120c52b7094f9347986c74daca9594099c09cd74875a3164a196a352f56b3f94011afdb50a2f5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ab3c6f7b33a16ef1_0

Filesize
775B

MD5
ba9b049be4835bb92e3ad31f3fba6b80

SHA1
9c14927c4bd33405097d6ea0f6c58a13b4dfa172

SHA256
7774fb58b7419f8da2c55e8795b415fd98af388744fbc2a2322fb3672dd312c6

SHA512
629d474db881b628067283e6c7d1b69df88383f9c92276850d0b4f333ff95d5e4261ee4c856d7b68ab9c4cbd60093831ad5a7d8221123baf7883437b3b397c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c12ccb2945c7c3c3_0

Filesize
707B

MD5
7af78fe406ee2f2776cb9ab2df0c0928

SHA1
6242c5e39b38d083c9c240558ef4f101545b8644

SHA256
c8f800656b69f2f8e4160f7bbf746b4cead10d0ea801ca003e4341820d44a963

SHA512
28f58df954c2d6022b765259fbe902da8c27f911cdd56e4adeea8fa5224fb7831c80ece7095132509a336f19abeb26efa13d70fa1b10c2bd309d68617a2ad618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cc00ac333f0bf986_0

Filesize
713B

MD5
c5985d44dc46beadda57939263684692

SHA1
782524ff679db12a7a5f9073fe992c355b11f780

SHA256
17bc047339ef83bf04d00dd898ea089330f88df7f065d506710db2d78ae3abd7

SHA512
6913a91872a2b22f8be9e089ef3fa89565be0da960b999a8d0e3e68d538a97415037fa504f064485e88d5ea96fbc263062087ddc86ea568ae3334c2d5e000d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e0e6c4f66d9c7bbb_0

Filesize
699B

MD5
75582837f6850b93abeb6d223f274524

SHA1
b0fa3cc5c62d73097f6259c0defaa479e696aafb

SHA256
5fefeb4e9fd2489ab5c1140b8d37facb25064a3363412fc4947cd6887d56f8a7

SHA512
6055a8802c5a9f087c06ee5afd4bc565e10deb02d269b7304a9bd3051de1e7d8fedec05a4c4effbe6f4996434a6025658087f3498fdbb41665e07659d20ebeb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
848B

MD5
45c2c22a987a979617d585f73df74fe1

SHA1
4654c4755ff5601e09a4a5d5a0ee7b8f842a345d

SHA256
ca96ed16ddcef1ad0cbf98a0adc76c4c75a92fdd9f0bbb594b0e3f27d5fb2a49

SHA512
c7d3455c18e52215055708f3b39d39ddbf86d81b1a391aa0d4c10be279373bdf8d1c9a179b5104e75f810d75f8354325f73b646252c1fd38f9cfb24dafcc4248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
ba67ed28a43594afbcf24fe0cda0ad4b

SHA1
dbfa69ce496a7027f036a7fc1a296090bbf0e72f

SHA256
927f2e3c91a911fa07ce48473a4f98d3287ce9d5f3e7afddf6057645f6ed6404

SHA512
7b692ae2254e329cd5235ca6991de0a9af999e1040b663fa5c0b7ccc5978c05160122f0cd1b02811e99120a10d1fd91f7e73871e5c9b38700dd8fadf104b7e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite

Filesize
64KB

MD5
8a7251a1bf1abaf69467feed21217617

SHA1
7588ce8663ec3dd40e81b48e90123f0d8a5b9a49

SHA256
c87f0be2e674946becd179eec9236ac32265eee351853e0fc051b1396e278148

SHA512
02b6c44eb84aca05e1c0e9d2019e14e66094587fe54f70e9fa967f7a5fcd23a248fd2d7c3ea8836263baf8b0d1fc901259d66a5a8510c79166c60f1751fb510d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
4cf8bca6b6c67d10e3ce13ba3851e1cf

SHA1
28ebac0de4c0c82ebee5e280abfdf4df20c9400f

SHA256
7c6a1ff0ade7a36530fee375ab83c134afbb6ca1d9164ad6f346fb3cd88765f7

SHA512
258dd16545f80e119e15ad1cf96f78fcd72a1a0e9862e4a0488434e30f6628c248d3169c56ac534bb98161c56a5e040f112420b79718186dbc16377b3013bc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
831B

MD5
aef2bf90502ac1bd319a498bf6e5f527

SHA1
6fe5645f01dfcb2e894c1162a63d53f7d283bb2f

SHA256
275a180bf385f360494f033f9a1bfe47db388c49c7bcda152603e8a074470c7c

SHA512
66f896d56cb6b940b79cb315e8cc118a80aa7a11a63266f758eae4b487cbc0ef3af45ffde80f033fb9d07ab268061473159163b6e7475fb3a74c603e92ec4835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
139ba4ebe1999416fb35d3ee2bb55d5c

SHA1
794ab9392a731bbb4ac4632e2c76996204fc9d64

SHA256
ac4dc79f2d76546e6269da51820c644982b00afad5a7cc336380ad831f663a46

SHA512
df650495cf36b2283ca2da26dfdf31e18f071a3dd868d97ddbb20f8d96a982b568eaf691e4d30dec7a30e17bbfc6c45da0ef9180a4a82c1d651b47aae0e6b2bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
af96c74d57a8b7282a8b37bdbd6f8604

SHA1
13369f1d44099a52d5929055b78c38684f056c77

SHA256
ebf3615d36de7d65317bdf5f6e610c0b8a5e4db82d3995dccb5ad533eb3cea82

SHA512
06f2d308bae819888f4dbc3dee511917ef604a2d7363bec8c0ea9fa5e339900009a1192e5f177bb3a8967d8cd32a07d1929133c28b598029e501a1ae436cd9e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1ae4c18f29b14233cc8d17681b942c3b

SHA1
192e28d04ecdaac4d9c10a67015b89357f563cc1

SHA256
35672b90e4d31f43ff08b55a2dea3d3e81c72ce631ae665bcd965903f519d577

SHA512
17745ac24f3461ecff8862c6fda81dd0976f3ae43e7016ce0c4fd17d2ee065773af3c56bce3d1c391b1f1c5ee3c044babe051fe07a1ae1697ca6257a5832fbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
624B

MD5
b42e51284754a23a0ae5689345cc67f0

SHA1
5129164283c1a3c93ac01fbd6de67e123e16363b

SHA256
2757e39200326f328928439229096a0f71d87c802a0a6ac3ba9f2af12186848a

SHA512
b47b564e89e49e8ed978242b9506afea4a965cd8da61cb36c9f0041ba3bbffa1460d938037cdd812e793e11736875c26a89c480d2a41b317b79f4ce791958315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f4f9bd79c900347715321c195a15502

SHA1
5c212e05ff6275762955d35c37d618f2edafb931

SHA256
f8d2729c87fcde0f222b763af16870f95cc1ca69f65114b61ff553afdf9fb441

SHA512
e881708cfbb9c19375414ea664575fd58bcc231408431bd5af06615e704d96a0787f41780ad32265cd2b6e2f27f44061aa000ab82407f97f7c309d4422491d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
666a05d2c00859a26cc2e7eac5d85b42

SHA1
6a1c979938e5f5d5645f87872142d5fa4a836677

SHA256
c2c895ab7faf3159f3b23d3569eb51f74f657175762bb1a4990919f4417d227a

SHA512
b5fc24b16c6227f88445e2513b9d8491066a543b1a2793176d5c7a111c31a8334727b61e9e2a15b09d84ead2b633d0ff75d68e3acf40e1c7eee7ce14f84b11c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
550c6fcda4f2d26d51a89858c7e0987d

SHA1
eb920cb0b0b9e09867bce1d32bc033b6f07450a8

SHA256
581d0b2b8878f94a6ec132cd7dd44889738217b0c52e5ceec76d0724d3da2b98

SHA512
f0c50d026eacd2650e72e921fbabff06483d272bec4e561af9ded7d195f181857ff7d8315533e67212ff758f9f03d276ce0dfcb31f855310b3e60a7f41d6c5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae215d8195012f6c323d4d87b9f883e8

SHA1
0b9a4430e58a5709db82c7954b0ce499618ff8cf

SHA256
886a06c313883a1b19671f5ba5fe913e62fbbd9b09a0a0e42b673d2bfb07ca0a

SHA512
64cf37555b2e46bd4c155b375cdabdcb21a67c9cafd9094cba1ed80a70137bbcef9261e0aaed045f8f29f63405b4995878f5ba5df7edeed5fecb8c6ecc8dd570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec69745e68a5e9a736139d9a8f7291ba

SHA1
03d63adbc72c7f801ba78dbb1557edb59e30deea

SHA256
ed1e9a0ee2b45790a7f0221f32e37586adc1757ed8233c840f10b87e7e065e06

SHA512
cc39236cd591fcc127363a6ca7aa0db53c4449ffdea08937f0d89580852a636a4b0a6535ae6896d9a3a5fc1df1a2b5ab30b12f611374a2dc90b9fbbf0697fff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580049.TMP

Filesize
1KB

MD5
bdc714ac3bbcb5c64a65c597e7bbc160

SHA1
3c1bf9f8f25fdddab71221fa570814e68a4c351c

SHA256
d9c91fdaa03e31378ae7198cfc6f15db1702e22c1d760726be2340546ac2a8ca

SHA512
fdc524b98f984c398dff6ec3f197efba899463e2bd2b7e1d137cd3ba83f899da6091d439fa730a30356226ad7a3427678a22d0d48864fa98c5e426e98bf821a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
528B

MD5
6463490de5363ede2df38fa3013eddf1

SHA1
5fc3c665f087c69a2345cbe4ea0ef726ad4ae3e6

SHA256
71050b5ac8a9c19d73009f025bab1bed6b50dbaa569aad870eb170abc6246f7d

SHA512
e393e7ae6cb4776ec5f9743c8464e690c9ef26b6bc453ee4e99d3a87fe0403a8978a6f23e9f7fca82f1e2882ea1807502361a9273d2ba06dd50789fdde32bef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
710B

MD5
aaae002d8c70187bc70dbeb63aa68651

SHA1
735c6c6dc871cb0911a882fd102afc6a29ceac36

SHA256
1f3aff6493fe2cc902677e20174beb89117af758934a6e1ef61961edbe706b3f

SHA512
89ec9186d18b603eabc425c4371b7a8868aecae16a7babedbb2e54a98bcdc5c0fccbb7ace0d5ee463f23b68ba242ceb9478f0f748162480f3f52ed83b6bf6ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
562B

MD5
3047a6c4e6cf74f81fd8da13aa49f9f9

SHA1
a123a64ff8162f151f84da6c50a4524544b79bbf

SHA256
1a0c462f7129375799b21748534717b644a0a55f6670ecb7eca966af1ad56156

SHA512
c8a0c53965964b3415e9c8c0d22e84e69dbeb6d429a891b10c21b32f40aea7b140abb51ec62757e075f01747a61210f3a51eb72d5b879488231a7f59b18573f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Filesize
28KB

MD5
b2cf2c9facd42c788af036d47866899f

SHA1
31fa994996fd28f1a18869ad258564894119e71f

SHA256
9ff85c1aef83168fe6c1d93965caba52367328d8ee2981034720d2418fca9ca9

SHA512
c928804c04763082f701f2b88fc4ce86707c3c731e83d121891505f0a403b181a1a74419073c315f0c4a464a4ddd90c0635daa82db855ff3e2480db9a1591f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
cab4ab2e380e6dcad0af718a98571e0c

SHA1
ea36feaf99f5f656f153a36dce10c19c6968a61d

SHA256
f7126078216a128bc217dec5736b27c3e64792c68f110aa13bd99e6b48a810ef

SHA512
c1877c427133fc5e254c656f7fa9a23cf180985c8ea381415e447da9136e7000dbce9c07667ea2c7d88c946dd587f801f019987f72bfd71c427c6fe5341b52b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
02df277b98c7f9cb2fc9614e9a35f4f5

SHA1
2950008eb41a9625ae0fde996e79e9e2e13f3b41

SHA256
6960397d5e009acfff87f200a73f8705d86b56d2dea8307457a75060061e6c59

SHA512
f7398ddfecb6a9a0852e8a61963b10390a8c24d9152fe79be51b53263c613277c3b3da7c33fd2f2cd6efdd0801cdd1ade53f8db9e2dd7651767656af435a14bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79d5def3bc8c633f6b56f902002da732

SHA1
e9394a276135fdf52fc2b2e96e146e85ba67ad22

SHA256
f1ecc62265de4ee92688e59407895692b832585b1b53388b523d2477a125fc4e

SHA512
57dfbf9c62e318ce7899159d70e9887477492866ede50c0da50b0d64839aa6cdcd843ea9685fc94a5067fb569e06c1db947b9561d5d2f48a3592ba90bfa89a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqvhyzni.wel.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.zip

Filesize
413KB

MD5
08b51b6c11f3e2872f996cd7b7fe513f

SHA1
e4c6113715ee98cd86af9f24a6e819f77f8855b4

SHA256
637ed4c8d5349f378201bcea295277c839df1e03462ec5cb3c45dfde3d54b0c3

SHA512
8fe97c4dc1643f030113c8d9036de5269a51f8f525147db52d82de1961fb3a80758ed44d56bf530a122975a9bf2e8cf8f5aaa62871a712c6397159202da362bf

Download Submit
C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19.exe

Filesize
1.0MB

MD5
2ddb664a99000837bb9975fb8aa5796b

SHA1
514a40ba1ea2a1dd5461ca900cd34bd380721604

SHA256
20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19

SHA512
694cafc314aaec187be21c37fffeca597c60f3795d0809c4180e7182c3fdc88baedf4ac035a2ebc5607f4551f842195c911aa4bc2714ef7db42110d427108ab6

Download Submit
C:\Users\Admin\Downloads\20c8003ce867f220f35d70424592dd33c5ad53d5d3a6e7845394375bda6f3c19\Log-31-01-2025-04-53-28.txt

Filesize
43KB

MD5
7d7bf84fbac83870c27f5c5777c7cc04

SHA1
96462e1d26c3d094d27b9d16257d7955d7da13bd

SHA256
17b813ef04dcf7a2d024042ffc99aad89fbacf6c03fa1fc0765c7ae680307900

SHA512
db32088c41f6b43472fbaf92bdbf481792848731b13e8a105489abfb3ceca3c9e080cc619b711cbfd5971a0207d7e6bd24ee33a7c974dc176d7df5cb222b863f

Download Submit
memory/1472-292-0x0000020872070000-0x0000020872092000-memory.dmp

Filesize
136KB

Download