hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

02-02-2025 15:47

250202-s8dpgazqbp 10

02-02-2025 15:44

250202-s6mvcszpel 6

Analysis

max time kernel
149s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-02-2025 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com
24	raw.githubusercontent.com
47	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-946476529-1335986830-1090511001-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3056	msedge.exe
3056	msedge.exe
5912	msedge.exe
5912	msedge.exe
2676	identity_helper.exe
2676	identity_helper.exe
4924	msedge.exe
4924	msedge.exe
5940	msedge.exe
5940	msedge.exe
5756	msedge.exe
5756	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe
5912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5912 wrote to memory of 3740	5912	msedge.exe	83
PID 5912 wrote to memory of 3740	5912	msedge.exe	83
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 5252	5912	msedge.exe	84
PID 5912 wrote to memory of 3056	5912	msedge.exe	85
PID 5912 wrote to memory of 3056	5912	msedge.exe	85
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86
PID 5912 wrote to memory of 5784	5912	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x40,0x12c,0x130,0x110,0x134,0x7ffe569046f8,0x7ffe56904708,0x7ffe56904718
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1176 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17898202345638065776,6049259589481344900,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3404 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3fb127008683b390d16d4750e3b7d16d

SHA1
8204bd3d01a93a853cc5b3dd803e85e71c2209af

SHA256
6306c5c7293fe1077c630081aa6ed49eba504d34d6af92ba2bc9ebf0488bd692

SHA512
2b8003cc447e44a80f625a6a39aacad0a0b1a5b1286eabd9d524252d37e237491d069c603caad937d564d0eb0565224d6c80c407b61092b562c68087785a97e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
6ff1a4dbde24234c02a746915c7d8b8d

SHA1
3a97be8e446af5cac8b5eaccd2f238d5173b3cb3

SHA256
2faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311

SHA512
f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
6a05c19c1af9a321e76f47c949404449

SHA1
48d395094ab144deb6d56bc39a15de738462e3df

SHA256
02d7219feeed4900ddb5656e05b232cbd96ad6a6cf161ea5b57dc9115b8b2ef0

SHA512
c9619ba88130193a32ec440730471f0b23e648bfd3ad8e21f01cc7345edc0c76fb7cd34b7d9dab2c79701c39faad66a99d6cf4980fa9205087238cf958685b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
73a1bfa88b70f0a24fc49d24bef95677

SHA1
217489e9b8effe8b4031c23cf276b3552637c6a1

SHA256
39b0b99cca0d3c4598fb4d6b5bb83454945794974a76a91da6ed862664eb0a09

SHA512
ae854ef51a1616e81e69bccf600ada1a2f23e034a6a471564be6bff0c21cdb60c184cbe3218c84a9f2fb210df286b69cb34ff667f201c552775259391a1f1609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
eaa41e447d34ee9c6bea6cf1ecc64ebd

SHA1
a2a47395a06103cdcd85d3f247fd3b55bbc44d3b

SHA256
62b4fb5acfee3d2deb0d1390df26172cfa2b5a17289541d7e7caa2af7c5d379c

SHA512
5cd96c25eca6189037a78cf9cf4fc93771bd939420c27e9e6fb0144c3c738d3b6c1d69bdfc1bd98c140a40dab0cedee34b37adfed69fc79e5a8c601140376844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f48b94d6d0074338263a77d5f98a307

SHA1
735af53f29151b2c010e72af342c6d1da009eade

SHA256
6d7ae1909e94b85be9655da04ad35ee862511bfb727fea4fc2867581f0b4df24

SHA512
11c07c5078485b45ae6af4a169ca1472039e7b33f5cf115386c7231125ebec4f504ce3505ac075aa40cb5a1ebf5db77008d8e3708e8bec256d1af410396764e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2188038d37c5a97511c2f9478a01c58

SHA1
e4e6a01e212977099dcc809922a1c83e5ee46ce8

SHA256
003b07fa18609c80a971d5137002f6b07d89156a7ac44d2199807850350be8f6

SHA512
fe3a9ff42acddd7251e71004d424f665a3b0523e7c733e358a50df12ea09ec6cfc46526fb67f00a8ee8a66f2db4a0bbdef19630dbcdb070d30b815c2808f64a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
25814f349340324d3ab94ed87a1a46ca

SHA1
a421e2cb9e5556683cc6f48c13ede69f3deae753

SHA256
270a5a3d78c45f4e477f3edf84a22db8c83a52f9360bf4760f9abc1d7a14df4e

SHA512
c136637ce525a941870475bab329d8a6741afe586847a10b15daaf182356f717bc900084ee45374cc1516f9b23ac5a6b07462fbdba4b73c5e29ba72a1b4015ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
374f1ccf54488041f0e5f712d0b874e9

SHA1
56294c8007b5786f72e3240630a12b0dbab5c6eb

SHA256
8106a964fb512b66a7168b3c0663207049469aabc8543d62a1e455c7e43cc7f9

SHA512
12186d2dd4f296b4abfbee116bcb5301649c03c7bde9d06b7fec9469ae5a04c232151a0cc4dd2d913526ddd072cdf7f7b913189dd7e8d8d965cff650bac1065a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0677b7272984a6e8d243405b2c644c7e

SHA1
a844ae7f8d5fb7839f1258622142e67953d19607

SHA256
d5107326caeba499cd7c455096423d8ae9417bacee6cf3aa6f814d93eb4f7ed5

SHA512
0680e6d08364b7eb6d66d25b26220c21a4974d249c778f80ee60e5a257d44afbc2013017a8743699c7139d6275b97883940e7b0914bcaf1e2281c8238b64c972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5721593b357a7b0974cd5e08a5644782

SHA1
8d429bdf1343a004a3a3f2a6ba3b4ca3a22dbf30

SHA256
f810bac8175f41b663e37ecde26cda37d89b4194b172ff09f074e76d09aa9f68

SHA512
8bcb485a8c336e9c4f8929d4acab28e421171fb79b008f1db784d37e2911ae19a4da2a05eea2cf375a753311006163b47ec2a5c15465fffe9ac2413b396b58a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
81b680553ea1df58490807c190ba85a6

SHA1
8d2a67d5a0983505b4f1fd234400f35a8e8608a2

SHA256
ca56a49959bd6558aefcb3956b6632e6f0fd3c59c5c7c902bda35451252e2286

SHA512
f201c4477ab1d58a4d866e74ffab7e8eb47afd2c5ae5e11521cc02a9e1e64eb365420c67745ba9d0999dc4fe71b9b2e28dc927fba986d087348a0b25a292444c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51eaf4bb859a319ef608aea60b6f85d0

SHA1
6e1656bead48bf12353814a2154b1d00afa06f2b

SHA256
db151da7be21ac8057259a65eaac45e19d99f32b70d1dd74e6ff77b1c02bf203

SHA512
968d28c19f18b96421fbc7e7d834c2fc9044951040b1cfa0b4951f8833b46c17c5b8a341aee09ef49df201db93b6411b3661f1790d0ee26bcef681b83f396b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a40201df3b906aca8dbabd51076c4ad

SHA1
5701a4bf3c04b8ee807441514566a17753011d52

SHA256
c4770af30265fe5f12eb6b20273c7a281dbd69110f7453ee21d34ad973d71f03

SHA512
c04e7a18e90264d62c376e949814a2f2f08497c240945c846c70c44e5630d5de7b255caa82961472903f35f6a1033b800d3c0fdfcbcc6f01d093678be6c2a668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c2f6b1990cc497c229bed3be4d942ac

SHA1
5800a106f01672655fd71143636ddcec9cf5d1fb

SHA256
e7fb133cd7eae9dee12f1d59de68f134bdec2ef435c8f844cc7c37473358ac18

SHA512
ce3d2b6734965d18ae363423c7f301fd9767a391295bf028744f5fc993d2eb6c26a61fba4688760ad68872b2a28d4b229eaf8a7c745164ac5cdf62eb31f0f238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fadb.TMP

Filesize
1KB

MD5
5ca39ab3d4592bf57696647b181ac317

SHA1
e7a82071ac80fb44530100123e35aeb4195f4c79

SHA256
43636bfe1dd6d5103cf2d30af9adbc0c0c15e5349c297973cbe7db5e6b5b8733

SHA512
c4f9556e3fc8e26794a0dab9f9a0500cb4919133175ea68e162e55fdc17b8a57b820590983da7ddbab5b8f602e8effccab9c2dfa7142a17ed1cd376818064f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d9ae0eb7aae70fb4750aa0527b1f23f3

SHA1
e691f9bdf2927f496e15d50b086df468ff41e1c5

SHA256
efeed99b0653315afb94a7ebcc14bf0ce57755e56d881e600d3c4aaa9142a593

SHA512
5e419db0385afe6cd86b113bfdaa57b66fe539f5df2a663ba846933099414ff966b9290fbe54b8247f47fa4c36cad49dffb80b0ac806ce1256407d53432d7028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c1daf6c8b12c11f5259b3737ac81fecf

SHA1
53b3d23b267ef80396a06f1a36b8fb8465f07d19

SHA256
54af9b4d142314fdaad2cf73967dd3e7f567ac5bdf43d0dedfd5f4a94b34e1a5

SHA512
89d34201aedcce37c1d06393b814798e5577475b55d79ef9c7238f0f2139f5305dbe5a76a1b0874214f8912eb411bdc5bec3d2cd85e11a694db99b13848f470f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb5b59e5e4d1f3680cd2f401e9f40c10

SHA1
66d36e9c0db1fbe201eb7ed6a85596e55a81fe3e

SHA256
16ca421bac558eee30b8de8b1d0cadd354f4f2dd5c4f081e7d953675e3040bcf

SHA512
7f7c2c5496886d4c236539b864b89f3be30bfe934cf6cf422dc5db1f3a0f9d10ecbffa4ac833d357307beb96c5df6aab0483263ebdbaaf062a4d5e35de9c0891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2986fdbfe80c50abbdaa6432212e2d48

SHA1
b2ee39572fd8a83961905c38fe2425a97557715c

SHA256
d3eef3c257fbe93a4759905367c76f004ec180bb9edbd16002f82567de6bbbd6

SHA512
3a245ab0842c4bf1232367b19d69217f7af101c2fdbeb15bba9f587ecae97656ec0cd8ade432551b2f093dba1f49a96576c51f0bbea494971b90cee1d056d60c

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cryptowall.zip

Filesize
100KB

MD5
8710ea46c2db18965a3f13c5fb7c5be8

SHA1
24978c79b5b4b3796adceffe06a3a39b33dda41d

SHA256
60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e

SHA512
c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583

Download Submit
C:\Users\Admin\Downloads\Ransomware.Petrwrap.zip

Filesize
1.1MB

MD5
6884a35803f2e795fa4b121f636332b4

SHA1
527bfbf4436f9cce804152200c4808365e6ba8f9

SHA256
cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c

SHA512
262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 167739.crdownload

Filesize
15.1MB

MD5
5a71fddd6b48215f4950ea80802e8ffe

SHA1
011df59169894512015bf302d338c506d1e6cd7f

SHA256
5fa4cbe0983a59dddd8a58c33a5cebcc0742c24f59c08f1cf78deebca0672697

SHA512
2cd0698ad20620cc8c2d94cb5eaf2ab2ae7ef599f426bf91cd1c2b3387dd2c9be362eff53ecc9cc969cba798405e618728966f7a903f42cbd0098f7b8327ee4b

Download Submit