troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
150s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3124-284-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-285-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-295-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-296-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-297-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-317-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-343-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-353-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-354-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-355-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-356-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-359-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-402-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3124-414-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	camo.githubusercontent.com
15	camo.githubusercontent.com
24	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
2348	msedge.exe
2348	msedge.exe
3032	identity_helper.exe
3032	identity_helper.exe
4984	msedge.exe
4984	msedge.exe
416	msedge.exe
416	msedge.exe
3124	[email protected]
3124	[email protected]
3124	[email protected]
3124	[email protected]
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3848	2348	msedge.exe	77
PID 2348 wrote to memory of 3848	2348	msedge.exe	77
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 3020	2348	msedge.exe	80
PID 2348 wrote to memory of 4868	2348	msedge.exe	78
PID 2348 wrote to memory of 4868	2348	msedge.exe	78
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79
PID 2348 wrote to memory of 3668	2348	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff751c3cb8,0x7fff751c3cc8,0x7fff751c3cd8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6695366435217013740,13701082176193729860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]"
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2fbd9dd08a4f46d2f58b3992848ef1c2

SHA1
343a1efaf8d99ccf13ff2daa9089c835306d152e

SHA256
c5cc3a245515fd0239c58aba8c554a5598af29da79da0ce5c23bcce291e03314

SHA512
01a2583a03277637c66404973c1b6a7d65e7a885e4a5ed7c10439647a8211469b2a5d6c2961dbfad826c0f1e9b6c06cde69bb309fccad4886ba678b980aceeee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3a6d935359a028d5e6af12c5523def2d

SHA1
5da2125ddc64237c86cd88cf02253d6d95fe6aa9

SHA256
7f9ab63ac78ba21df87d2a39fba0ea22cfa22e85ab05c1d62b16692a4da6f549

SHA512
513146fc5e734f2d430f8fc1aef7e2b84912829efa316958731c35fde4c5cd64b868c7caaff0cdc12ae0734ed0eefbd7ab345dfd10da9a6698057e520be51dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
7671c15bc703423561de78e7a70042c8

SHA1
b308490c5d0d00d253b303f8de8884d9be9a0952

SHA256
141722df3d7c934ecbfc14b75e1585f67f9341da9adbeba9c1241764116e0eb2

SHA512
a39303ce79fe34ea1f8e9b89c4330e264f0d6c460b17a470df47286d9ba60b0e358d808f5bc974957cd63a1cc3aa4b46bf69fb3ffdbf542bf193b0e19bc2f23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b6ae50abe858385a3931b3d9cdebb57

SHA1
e62ccd2bb5238dd3693eaa44227382c975560b05

SHA256
2f0d1e88aa2807e5f0cb4149ec66ab48cda416fa8f43056cb6536a7a354521a0

SHA512
2f5c645095ef641c5bd9109896e160a8229110ad7f9a0f7d12d1715b091f959fad0e335ed4c3dc9ee893d121844c56d8cdc537df258d3c5da2814bc2fe95b7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3258ce70033af44df032822eba138d34

SHA1
582a4e6765aa24a40380a8ab0dac2a990d4955b6

SHA256
adcfca08966ae4ad9471f56093ce424a4c2defb9ce5ca84e152187810f198c12

SHA512
4a4b72ddd062585ee861fccbfa8e5a5fa10f6bb24b68f00b6f7a25839d32e0f680feea8724ed7e9b33d59bdc3a93ae6fd530c0ee61f0b0319f221a3a9b68d5b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
043586ad4671c3c4af0a314aa634acb4

SHA1
4178d716b6987daff3f7f58da41191b79338c454

SHA256
242d58a83de375db9c0e3c070107790cf9923d8c43634b1cc8fd0f7905a97e66

SHA512
3bd4d2e73849c9403dc01ca321dbddf5512d754aaf8b30dab23a5aaa1cfc8f60ef90ae9712dbe31e5f6ce3d3670e93984f58caaf2447b48f2f71847f3048fd1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa3844eb38df8dd4650d91d629c04b17

SHA1
bb05577bda13bd9353fa4f9e9d2065b8d7898561

SHA256
dd4f97ad0b81023f24a1d4ac1a5cca348656c8adfe9eef3dc1a8440f95c17386

SHA512
9603c32c82b2cc6cb6419c4fc92ddb832e3d77c46565497768288a5648d94c49bcde762e29f846bad52e17ccd3c658c2e8a9150f078f6b5d30835bc19e072419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94d2af3bdf2163b0f49228e2fceade25

SHA1
28fa40fcf6611fcdd97c4848702e9307f0ee84cf

SHA256
66025e1d9ec3e99ff12b884d80b3b5dfb0cf1eabd852396cf62b08ecaa2d5b57

SHA512
3a03a9487dd09cdadf0d6b0b06a41310e2494ea090b7bedaa67d49db0ec314acbda210436d9bf01d5b98449c05e7b10126e4e7f7cb1a05eb299de77279261c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8ecc18192c3610385091436bfc4bc46

SHA1
69e4ddcc9e18ba4ee9eee33be458ffca0c82265d

SHA256
b40304fb9a8120ac9c1af12200bd0375b0d9fdc2df263739f81c8002965e8437

SHA512
cd72c1ba6f61af54234e21ec4c6b80366ad8e0315a59d1074c83c3e9169fb15b0b2a7954ef240575c32835c7faecb444b9bf691cdf217315c9c2a69006dc8115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfa81fddffc89da95bd7ca0b60cc5188

SHA1
7dadbe612e77a793b67dac135a31a5b37f67939e

SHA256
4d203755c8626a27ee52626f64675e38a3c628c0ec7b9fbd86b3156c98293f02

SHA512
2ecc6e7067039bb2aaeb5b2685b1ed2d911074d45d6a90279352619ef3d36cbb7e8db41c004230df92413ffe3bdc4dc247c2a42460086e01497d60db723e26a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6e47f93d6bb52d28c488194eff7ca08

SHA1
514be8a1e0eebf610e5d3135deee4aa75731cb2a

SHA256
16254973aa96518585a16921f38f18d63a6c10aa912d82e625b8a5af671cfdbf

SHA512
9e54cb84cfdf9aa4d2c67607c81c6c824291eed52a031fbb9810bde7a1b5915e83137e1c3673db3d0c50090e3c3a082a5c4b90a0102cd70d28b94b01b2606343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ab6039e8ef1426d80fff6d12ca2dc15

SHA1
d91e9eadc0b37bcd3747827e9e70087bc51abf62

SHA256
cfd9342eed068c1d477d17d4e071f455770427fe3dd56b6a9ed1d2b8cc6ee1c7

SHA512
044932cd7051988b31a55c28451f0048afb6dd14595f907f59aa5c9a8fabe0c45eb889e73bcea6aec9c74c26a582a6ab1aa51490a19ee5890b2206790020bbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580971.TMP

Filesize
1KB

MD5
8054adc9ca4e98113659de6265d6b34f

SHA1
b28fa4699148ce27f360fe6436cfded0fd08af78

SHA256
ce43a36ef759bdfd07c2f8b19af58600950f2fda4d385b7160e493ca16e83b92

SHA512
56366ceb357ccf4a75d11fc955d7d7c3c527d7c00e7e73694594f3f89bfa1ecb88d7b486f59e5678dfee4688cf5308696c1f485d1fc7c15d3a2c4f2d86c2a6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
446d26b57a2533c2d8fdc05c6b2c8c3e

SHA1
fe626f0f271699649945cf1408912d58a17d87b3

SHA256
3b63a133d9ff76933eeebeddcfa03b98f1178bb9ad377af8621ee0e11b8f626a

SHA512
7ecec407ee916a7b517a7dade3ebef6eebc4689269b417d874fc690474822a310420695d23fe585a36e5e51a4773fdb2ae4dc85e10c6c7c0b1473639fcbd172a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2aff0cf7b06afc52c33967f6990da62d

SHA1
353f5df9f5a12e0d20c8db5c7d77f6de8f6a0643

SHA256
59f0b39a95298d8a97bc32ac515e9f6f3159375f29bf1f4b9bfa1fa6424c10ad

SHA512
5a58dfedab0c9fbd7e7faedf0ec3d9460724472b6875218a54355fc43fb7fada6b8a3eac3ea0bb52b11bef67fa7555b346c83039d00a48937a12fb4ba97ac340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88ebf9d1fbb7eb8d4b93b3bfbe3388da

SHA1
ac1e14e9f228a890cd67cca447f91cda5feaf33f

SHA256
52dd01dc41e027b9170a5cbf9757cb68bb14c0f00452eba975dd5ee7d7abc3db

SHA512
16ac5189c77bb2b1813f21017752df16a7fb7bcf9b99b590b11e1627f03858f8d146df85e7aab8b8afebe0389b723f8444d9ff9af3bb0d51f9c6ac2400ef96a1

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Xyeta.zip

Filesize
75KB

MD5
213743564d240175e53f5c1feb800820

SHA1
5a64c9771d2e0a8faf569f1d0fb1a43d289e157c

SHA256
65f5d46ed07c5b5d44f1b96088226e1473f4a6341f7510495fe108fef2a74575

SHA512
8e6b1822b93df21dd87bf850cf97e1906a4416a20fc91039dd41fd96d97e3e61cefcd98eeef325adbd722d375c257a68f13c4fbcc511057922a37c688cb39d75

Download Submit
memory/3124-317-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-354-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-296-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-295-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-285-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-343-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-353-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-297-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-355-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-356-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-359-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-284-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-283-0x0000000002450000-0x000000000251E000-memory.dmp

Filesize
824KB

Download
memory/3124-402-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3124-414-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download