troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/refs/heads/master/ransomwares/NoMoreRansom[.]zip

Analysis

max time kernel
80s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30/12/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/refs/heads/master/ransomwares/NoMoreRansom.zip

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
13	raw.githubusercontent.com

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4432-154-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-156-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-157-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-155-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-161-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-162-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-163-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1016-165-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-166-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-169-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1016-170-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-173-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4432-174-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
2564	msedge.exe
2564	msedge.exe
776	identity_helper.exe
776	identity_helper.exe
5008	msedge.exe
5008	msedge.exe
2232	msedge.exe
2232	msedge.exe
4432	[email protected]
4432	[email protected]
4432	[email protected]
4432	[email protected]
3380	[email protected]
3380	[email protected]
3380	[email protected]
3380	[email protected]
1016	[email protected]
1016	[email protected]
1016	[email protected]
1016	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2056	2564	msedge.exe	77
PID 2564 wrote to memory of 2056	2564	msedge.exe	77
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 3968	2564	msedge.exe	78
PID 2564 wrote to memory of 1580	2564	msedge.exe	79
PID 2564 wrote to memory of 1580	2564	msedge.exe	79
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80
PID 2564 wrote to memory of 2816	2564	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase/raw/refs/heads/master/ransomwares/NoMoreRansom.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbef0e3cb8,0x7ffbef0e3cc8,0x7ffbef0e3cd8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,16232085682121164404,11755383757932945826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5092

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f53a296f5511ee0548ccbda2fdafb954

SHA1
308b3b23dc25ca74821d91985f1a2fc182054389

SHA256
101bb57d0c73d582dfd8dcbb49efd16d053edbf4920ce6a3cceedb2cd78cc3f9

SHA512
764fa1d79f9a22c9149c4e14ab2eb5fe0fadf425d0dda2597ed48f18b785e9f5422de1a2e8db5d5dd52881a6b9b94c1d2bcf29fca9be298ce69b860bfe698e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ca981b734826389f97597dc52828264

SHA1
0cd3eb1a958f13ae152f576ccbcc20b3f18e50cb

SHA256
edd4dc8d109faee723b8b97cd072705ffe624c248a53630b33c1c916cd03e5e1

SHA512
4d8420930b4efce263953415bcd96ae86a2d1caad3af2966b3add46c3ecaabca0f28c8305d281260953c5e13cd03cffda594be273562a7f6337cee97b77728bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20d81ee5d0272deb2ec3b2c0beb6994e

SHA1
4c2a8f33f9472310aa5b30f9ba38914200c8d10c

SHA256
423be6154e0f1c93bab731457f9154da9210137dd8b228cd9101bcdbd3f50a05

SHA512
6e09232e454987348ce6aaa959481328159d5ded67e88ea28076ce7899490e96ef7ce92e04307c0a7ce3378efc32be2b67a7f944c1a000ca65514f78dc5f63e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c6459aa6283baca5e2012c455c83e44

SHA1
2d7cd5a57eea703d9e3323d04f0b8d55a0ec37ba

SHA256
b8e856f0d3c36f64fe1bd9f7282d877047b6fef2fca08466a3f7946ab95fe519

SHA512
d88df684cc7cc16a54bdcbce9b6c30f47fb8e4f304f5f08a2c8c1017f4dc134ceb21b9bb49e11172ed208ae83bd6dad08329f16008b64a8b597c529c077adfb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
41d7c77520116efee7baa1351e13f5bd

SHA1
7565694009604b17fcf42e737d851c1c36497368

SHA256
337ee1c50d9f5cf520819f78d94021b12da28018f8f38a3f34adc1f8a3840bb1

SHA512
7bf89a56c2d89835977cdb88756b7b48bb74818e64488cbb8e159ecd47e31bd9aabcbf0ec3aef4b05a88989a407625ca4c51c121243ab0ace04c7e8580469aeb

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
143B

MD5
9dd432cca627a38d077c8b15a1ab5c86

SHA1
b969b2993e2e9345ba1d0c3c40679dbd6d4813e9

SHA256
0eccc005d73710b0dc96e5be1adacd8f8a031019eb84c7c57e7ac8f891c6cc7a

SHA512
bb10469eb81eaa98057f6d88dec1d62de0380fb59c89c9af12b25617ddccdb0159b68df75648eba0a0df3bf5012bbe5c2510898c93265fe0a3ade85efd69d2ca

Download Submit
memory/1016-170-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1016-165-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-163-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-162-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-166-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-155-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-161-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-157-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-156-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-169-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-154-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-173-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-174-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download