troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

13-01-2025 20:24

250113-y6snhawqew 6

13-01-2025 19:46

250113-yg4z8svrey 7

13-01-2025 19:26

250113-x5jhrsxjdr 10

13-01-2025 19:19

250113-x1vegawqer 10

Analysis

max time kernel
254s
max time network
252s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2025 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
35	raw.githubusercontent.com

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4784-381-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-383-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-384-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-382-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-401-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-403-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-404-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-414-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-415-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-418-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-438-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-439-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-733-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-815-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4784-816-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\php_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\php_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\php_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\php_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\.php\ = "php_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\php_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\.php	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
2564	msedge.exe
2564	msedge.exe
1980	identity_helper.exe
1980	identity_helper.exe
4748	msedge.exe
4748	msedge.exe
1248	msedge.exe
1248	msedge.exe
2272	msedge.exe
2272	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
4784	[email protected]
4784	[email protected]
4784	[email protected]
4784	[email protected]
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
884	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	taskmgr.exe
Token: SeSystemProfilePrivilege	884	taskmgr.exe
Token: SeCreateGlobalPrivilege	884	taskmgr.exe
Token: SeDebugPrivilege	1904	firefox.exe
Token: SeDebugPrivilege	1904	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe
884	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1172	OpenWith.exe
1904	firefox.exe
1904	firefox.exe
1904	firefox.exe
1904	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4672	2564	msedge.exe	78
PID 2564 wrote to memory of 4672	2564	msedge.exe	78
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4644	2564	msedge.exe	79
PID 2564 wrote to memory of 4016	2564	msedge.exe	80
PID 2564 wrote to memory of 4016	2564	msedge.exe	80
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81
PID 2564 wrote to memory of 3528	2564	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0a413cb8,0x7ffa0a413cc8,0x7ffa0a413cd8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,7054678142482315686,4361046369392501808,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6548 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4412

C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1172
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ConvertToPop.php"
  2⤵
  PID:2316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ConvertToPop.php
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4bc7cfd-08ea-4eca-8e8b-e3e7581916ca} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" gpu
      4⤵
      PID:3980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce418000-b78b-402c-bcde-674f495a70fb} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" socket
      4⤵
      Checks processor information in registry
      PID:568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b93527a-870b-4bac-afce-76208e2b4225} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" tab
      4⤵
      PID:648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3116 -prefMapHandle 3120 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a27cc91f-4908-459b-8247-9d1151063305} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" tab
      4⤵
      PID:4340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4716 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68b454b7-b56d-46ad-afa7-7260e03d5d88} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" utility
      4⤵
      Checks processor information in registry
      PID:5472
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 3 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {833e15ec-33b7-4259-b972-438da7f571c7} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" tab
      4⤵
      PID:4396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 4 -isForBrowser -prefsHandle 5688 -prefMapHandle 5704 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08fe3ef-949f-45f9-8cd8-0db1a6fe04a2} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" tab
      4⤵
      PID:2196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 5 -isForBrowser -prefsHandle 6000 -prefMapHandle 6008 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecd03f8-2166-4a90-a1f6-29e5990095a2} 1904 "\\.\pipe\gecko-crash-server-pipe.1904" tab
      4⤵
      PID:4796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ConvertToPop.php"
1⤵
PID:5248
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ConvertToPop.php
  2⤵
  - Checks processor information in registry
  PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\095151af-07ce-4a1c-ad24-4f484de999fd.tmp

Filesize
10KB

MD5
f3f43840b38ca2f10368e32a49c4b5da

SHA1
066790169e47182e02b0f46bcbebdf38a94acc09

SHA256
7ad10bd3ef6e0acbd9c44a4bb1deb004de6ea748a40076a8f39f55255fb230e1

SHA512
b11f3a195d8a4459391bde4579cd7f7a2836c487ff6dbd2c446eae130f4548bca29eb02df658eefec2b1eafba09d8cd3617e35956af3577c5f4a837596ced797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
73056a8da4262502e6d6f0a0d967af5a

SHA1
71f663dcd33f10c6f761704aca99abcd2821a155

SHA256
e81527e18c67675626b18041a4d79743650459f949926f75e946d404d72aa526

SHA512
ee92fd55aeb2de16db135e2074db6d8f8eca5ba5d06869a015d28bb966293a13124ff7e30cedc19b6f627fec393f2e47de71f2eca026c660aadb8f41e9dfccc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1162c059555079828dc8c184e8e5ea26

SHA1
8974cd590f17cf7a4327bf25687e5cbd018a3589

SHA256
ddc87c5b75d0144ebc4736f7cc0c1f0dbc310bf68c22dec7bdd77967003331c6

SHA512
34d1aadea156d184e1f5050a952e4448e791de2c0db350ba1467f94017f6e6cb20b760348bc1c205968259ab6422621dd8fa12580fd9f27e63c34e0a5dcd85b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
390efd57073b9d9201591c0497a58d22

SHA1
a58ff0601b22848cf4874635b81e90e8e0450bc6

SHA256
5b44b2b7c779f5b127de5b7e485368ad7f92319a51fe162c417966226e85eb3e

SHA512
a10df6d7f6d54390822c679d8dfdcab6ba638cd3e2abc26ed60309a6157b1dff706a9025f2c18750d3c41bc4a8062b15a0be421921f714f2e6a85a139cfcc4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fa46d640f13e0a7282a88d1ed3fdf5d

SHA1
aa4dda90b872aee64ff2226d76d6c0db7e017e69

SHA256
d4500ef9abd1944784546462ce32752e40c981c321cdbd3aec34743fb45015db

SHA512
03020a53b4921eca4ddebfaf4a103007bc041278cb8dc927fe4c243c3dc2d68fc2eb914de9bf24b69608a6fccc309657aae099d899a922b2ed5e587563bac894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0cbc289057140681ee33e95ee4beed3a

SHA1
5e6dd3a2a78dd3e887ca40ec4012282cea165707

SHA256
7cc09e20637c81f09a7f3fc317bc4a186c7a8fc08f3ac3b84120e8cbf4cf200d

SHA512
f699ed13d7e39076026a369679c8c81529df6c469572f14882c8dfa04bbde31e462bdb63c7f92c969d86cd22823f4b6be7b01dfaf518c6665b4858b88d30b2e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb620ffca4046ae95a71095c8c3cea3e

SHA1
ef5b570ee6ab0dc56b0924e78483a3fcc37df258

SHA256
96da33d6d721793084ac626f91ed9b9ad5905980fb439c82e8fecffb3adc615e

SHA512
2fda50cb09777085e816e46855132afafecb802b9084867df35b8dcd66c202737745bbf3b88df2f37b4120a0b0c24eb27f0d32069abb212a6425d8884b5f4095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bfacca22943dcac174e7844af3c7a81c

SHA1
a2a4c3c7dfd8b96456750c9d3a8a8577a8915b08

SHA256
a3c66a1aec4e0e560c9f7a079c7d2e7301f7ed8af4470cebccbed75c164a6e0b

SHA512
39104678d5d41947be7a64967d3647af53b7e64a7dc6fa99a3eb666b4a5000d03abbf1832206226f651ba3a1fc2aa18ca34af5f1c816d08798bf3af3ab0a8461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
82dc5795e6b5f228769a13dd3fd04e4e

SHA1
e1a83e8f8955f20a0afd8fdd7ed66da4ec1b543f

SHA256
f465d240297f53e79bc92bd51ba2100185d5ec53a68246f88e97161712186785

SHA512
856accb456285c01cdae5f9fa49368579c685a5f4188f0a7b6705964d9aaa52ff9203d7e8d57c22d0dec444dbf26ef751d9548e4d5f9aadafa90873e83f9d36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
38bd62decd34c228feef49c66d9dab10

SHA1
ade66cd8e024151b26699791f6491d6415e2247c

SHA256
3bffde6fd4f53c91849d82c7220a27511b925ef4af5e9ace2a38f788b741df8a

SHA512
8fdad2c47236c02b31b83b1dd7cd6b04df871742d9ba561bb2827a47ccb1bce88a387fcbaf507c47e5baac5ec3c7ed1aaf32e14645113188125d55f997606d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b0653e13e723392c8fb8222b93b8d91

SHA1
fa398b97dfd6fb7334757a7e97c108eef051c634

SHA256
6e6a0282ba51d832cb458275d9e1d989cbbe472460322ba0544a2cea1afc3ccc

SHA512
a1b822b8f7e7287079c6b6857e80245ef59de2ee4cf56bf0a0a9a5ae31c89c9a4c649a01b6fd6d1a067b80a37f680db3f06f8a14860f1dc12143cff1d54fe37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58123b.TMP

Filesize
1KB

MD5
0e27b835bbc3b0ed2b9da1b502fd0b1f

SHA1
ffaeb3bf711e6811f90d6a1fb3e8eed0321e6508

SHA256
8847483ccc3ecec4be7b8e2433c17ad2658cd3fc98e77e3018eddd9cdc6d027a

SHA512
9791635f0c36e7f56d0f4343f5f7b72a8dca299fc5e4bc40be63731d696c62a59598835f7983e3754dec8af5bfab0cd17536580de0f594e4b56e90a55809187a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d97a8f49-db6f-4d7c-90a7-4ea8a5492a69.tmp

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20f8705b7ec4b4f1fe4ed477b1d0e25c

SHA1
f4ddf3cdb49302370aa9701bbc7e978ac76bd4c4

SHA256
c3b3c9e801d32b9bcbf2f9bd7ad8949b874a31726f0599ef8d5d4dc5b2db8d14

SHA512
5efea2a76942bf83ee7f9b836b28f053b07416636da5378532524e70576bdb6cbd1ceb9c313371f6b18e3100069518ef339d8f385e25ea58fde20a8fd432cec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
173ab48ad0e4c6446db54e402fa556e5

SHA1
d0d3e3beae31ae98654fc8dab99e7edb5fd7d4df

SHA256
d892d220a8ab2aa78c12f2a9c66858e34c8227e92a66ebd08bd9ddea6c282495

SHA512
91aee73a0485940011a92ef615a36fbe3cdd4441638dbc8b0d0dd305c85699863ec58c0011926a1e311824a1e8dbd1964c2fb416b07486cc1fda16aec601d07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
81b6c2b951e87fc933c337b6084809b0

SHA1
697df5986cfbdc6b8a32a791e82d3d29da9a883c

SHA256
91d7f497e9f25597d0ff5ea75ff4c6dd031af487ee654bbbd313cd986b8968ee

SHA512
bf5015d6a81136ddccfed590fc72b65102c1498541553bc326d13d734c5e641ad4c54106315954baff26b3fa283241a42047fa863bf952a3a7fd371737a7bb8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
d27c5f5536c6cc4e3f845343859332c5

SHA1
29ace03737aa46c196ea2c2cd90bd8c208fae4a8

SHA256
854b68adab87e9f2b6218ace483ccb3dd4591576bf1eabce89eb8c6b38c9c74b

SHA512
1fd474adc697a5339c21c54faadac5714ad5c4f8e11fc2580a5934ff2639188b3d833d77f5de87094495c7b91ad0f680a6dbdd5cd2b9f12233688fd4ffccdce1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a1d9daabfd22e84d16c5c9c70d56af47

SHA1
49a25ba03fb126f6faf6887937c08b0fe446ea75

SHA256
50f6d6660a2accc450dae41214f4c99186e53c4b7eddbf839d8a89e9a12adc44

SHA512
ba66d1427d8e888f25a7c1d69ad38164161fd1bf5b8a521bcb098375eb56cfb9b5e77e9926f75cbc5ba390a80eaf1c9e17ebf7903fe911b93cf9ed152c857eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
06f98b0a61587c4366b4246b48de0daa

SHA1
163d7b4a8822275aa8c16ad09a16e993192cc948

SHA256
41161ae052a0fd4e007c8890af34ae8d2f8403c36d3edab8550cff851b2db2a9

SHA512
3c52d1db3603654b508293bb7ed7b2002047698de87d112be85f8a689e39d521d166352701797f571f22d2439e4fc16fa5d207ed3a1e9599f042d69be49ef332

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
39e1500cc2002caf7b4264bb828090d2

SHA1
88f95f17f7a68ae7a780dcd1f1101299286cec24

SHA256
ba7138a15aaec6e0d9eb0d49c201eb7e8870e71fbb56f54af46a5e76b34b1f69

SHA512
b3540997c6f1a8811c0e9236dae38f0999c44ddc5dd17baf4edc9e54580bd649e16c3059773ca44ffd4d355b1d790fe8bb398b6163e04e41ccb13e175a65d981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\17535e1a-0ad0-4773-9e3c-a1d46d431950

Filesize
25KB

MD5
e4b00a752257d716125f811c33de31c4

SHA1
6a459fdc9135ad632bbe10ed7936a45619f5088a

SHA256
5b40b23f54573ff2dd96d7314333e0646caee3012b1e2b888d8937d3f183a0f1

SHA512
5ade90e698b80742e9b7bb3d98fbd977c798ba3c48d339fbb42ea82c3ed563e9a400251adfaad701f069e5cf1a24784e709854da2d3c0bcc7c7b04abe145c41c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\356b793a-192d-462a-a74a-6f69e48d1a4a

Filesize
982B

MD5
2de962339da734bca896f6a1a5172c7f

SHA1
1057a7631f98a278be172a525aca19b9db23003b

SHA256
93eabd0df6c6e429af01fd7f9a0d8c311c944b394a0cd994c35dc26ebadff0d3

SHA512
2792d4d1a76a534a4f5ceff4cd27aa28de1826bbcfa46a72a4ffa346d72022cc2671cc10f01a3226563af1b007410e143a349d871ee45599b5398e6e50d6d10c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\dc26c784-00f7-4ef2-8124-d6e04434ba3c

Filesize
671B

MD5
54b81025961eeda6a39d0f50dbd3ee5a

SHA1
755bb7daa06ef41e18369f8a3179af99dc0e8e2c

SHA256
2727c52d9ef5efbb4b8207d6a491c08d734da9d0eb8a4488011384cf22ee4b2f

SHA512
b6cb6de13abe27947e0148c5ea43eadcfc9bda24cdbea001c60f4efecf6d96a95e7af6069ade43a8cdf0c79d54e4b78aff2fc80d0854c415378dc25a7b061a66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
9KB

MD5
fa3ba9b85a64a81a04cb91e5dadf447a

SHA1
6cbd7a9a49342a220a043604fffca3cad1f94796

SHA256
c937ec0d59fa9396afeb6ce2a9f1beddfdf2fbe40ee0dd367595d1c9667e1e22

SHA512
7ed6898091d802c4ebe7291c22d80ebeab5004ad3d835914feea626af0c9ee4e0e2cc7991d9fb289ebfe2a55a211e873dc4c20e8db859ef8082d95ad2a12d0f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
dcab1cec40a206c498bd15e4fd6b4c8a

SHA1
fea90d52850d0a106473a324e46673e40ac80598

SHA256
0080fa867c9109e573c294fa9a5356c93c60fd28eda4881227fe8f78c87a396c

SHA512
bdc8734060f7682cd09ca1a227a5dba10f91c8564665994200a9352e8bbbcea99a806d85940a03a8aeb466bf240521c34e709774f139f507465a199d6c8c2615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\b5al27lt.php.part

Filesize
769KB

MD5
fb9acc85ec7a9f5f12f0dec7d1b6fa3b

SHA1
dc1791da1baf1641551a66dc450cc967d6a09a5f

SHA256
bad1f40378b481dd3b8ce50d28622fd0210bd5dc6572bb5805f3e179c1422d29

SHA512
4654db7ee8bd6b7979e8abfb02b4070b93ca3ebf935f9e9829f7082f921723c1938a25974fa358eb5c98cde3714475345c62fce0cd48db2e2a2e7eab407f3909

Download Submit
memory/884-389-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-398-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-388-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-390-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-399-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-400-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-396-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-394-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-397-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/884-395-0x0000021CF67A0000-0x0000021CF67A1000-memory.dmp

Filesize
4KB

Download
memory/4784-414-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-382-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-401-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-404-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-418-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-415-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-438-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-403-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-439-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-384-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-733-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-383-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-381-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-815-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4784-816-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download