troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Analysis

max time kernel
374s
max time network
373s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2025 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Score

10^/10

troldesh defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Downloads MZ/PE file 2 IoCs

flow	pid	Process
24	4900	chrome.exe
24	4900	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-270-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-271-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-272-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-274-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-273-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-297-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-296-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4896-302-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4896-301-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4896-303-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4896-304-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4896-318-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-321-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-340-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-350-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-360-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-384-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-409-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-410-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-420-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-430-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-431-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-450-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-460-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-461-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-471-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-481-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-482-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-492-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-502-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-503-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-513-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-523-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-524-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-534-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-544-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2404-546-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10288	3444	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hydra.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844881094226223"	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
2404	NoMoreRansom.exe
2404	NoMoreRansom.exe
2404	NoMoreRansom.exe
2404	NoMoreRansom.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
4896	NoMoreRansom.exe
4896	NoMoreRansom.exe
4896	NoMoreRansom.exe
4896	NoMoreRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1116	1828	chrome.exe	77
PID 1828 wrote to memory of 1116	1828	chrome.exe	77
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 2872	1828	chrome.exe	78
PID 1828 wrote to memory of 4900	1828	chrome.exe	79
PID 1828 wrote to memory of 4900	1828	chrome.exe	79
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80
PID 1828 wrote to memory of 1408	1828	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f7f0cc40,0x7ff9f7f0cc4c,0x7ff9f7f0cc58
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5064,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5072,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5352,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4704,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4388,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5292,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5216,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5484,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5516,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5192,i,6545187655938443895,10232167744534333639,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2716

C:\Users\Admin\Desktop\NoMoreRansom.exe
"C:\Users\Admin\Desktop\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Users\Admin\Desktop\NoMoreRansom.exe
"C:\Users\Admin\Desktop\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Users\Admin\Desktop\Hydra.exe
"C:\Users\Admin\Desktop\Hydra.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 68024
  2⤵
  - Program crash
  PID:10288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3444 -ip 3444
1⤵
PID:9468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9e8d41cd66d1fa89eb1d6dfcc8c3c7ae

SHA1
bf4ed90b77c93aff9a76fdca37ea99f13390a532

SHA256
64e61124efb142307ef585b78fe02d04716e0bdba72530dc70b0a335dd214889

SHA512
46a16f32bb661962f63b34cf1f9193bc060d3ffbd9779bf22c52e657987004a04be40bf46a3199e67ec6b2ff63570ad8d7ce5084c0a10575955feaa3647d2e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\70436107-f385-473c-acaf-e6537afae2b0.tmp

Filesize
3KB

MD5
33b746b9300674dfeb2df484decbeb9b

SHA1
f74b21e5e1095dcce6c153c7daf38f8030ef8d6f

SHA256
b69f21a195f06b1b49253818ff60f86e1773ed4712432f2b373a9e109ae6919a

SHA512
c406cea43fa654c8218ef26ff43f7d57fdaca93e8464158bf3fcc426e8a113ecebd245ccfb74af684c47d569f41a51252305573af3175e4c89ebdf85605b08c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
38ea959f3b3a835b981c087268436d29

SHA1
ff3bb4f79ce4b1fbc7bd0c444a2258f8f537a23d

SHA256
3f2118406b69dc771aa0b241f118790421ea98f8765244c9232af341daba7732

SHA512
fde920d175e8544a0db8b9cce8e5d0d553190b996ba1d3a3d83a8a9d924b046e8e9aaaa32023c6c373de39f5ff319ad7e7faab2ad7775119f068d9cdb424175f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
c5667f2d780184c7c33e60a839997ae7

SHA1
bbdf089a6fe4fed533040d976cd8fa96951226a1

SHA256
bddd35e987d03a5ccaa7012b17f8c3c77f0f9a2a227a28e1553543c4af2b98e7

SHA512
654774ae011ed235f72e1509d916eecb2fc4ee77f03aa779be8c13d448a17e7fccaf4c865acb76914cdec671474e036110a4102de83ccd6f78dc4349ed737e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4d2a8afa58f19c745128a378334e085a

SHA1
6b05afb99896ab5b922b52a8a4c28bd526606879

SHA256
8fef4b267e1303c1b385331f535bf3db4d2e72d3a466ef54919f88132b603542

SHA512
c2d71871633aa07a370f86c0050281c35fdafcdc74d094f83a153315e19ec91babb23b3ffe1ece2383bd4b1631759a8f3c98892d8a675bc9be1791c6760e7547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bd07b0190659316c7d9381fe2e981afa

SHA1
f7cab65cfb8751f5f4d75d2af98cda5a8d515c11

SHA256
0f23507bc334677d91ba628757f561dda0f2469904b296dd4108858071cd95a4

SHA512
d5db7a228057190e1fa969531c025a56b81cffeb9c5c8fcabcba3a9b926bf2a90f465920f0c09b169d199abbe6f26b4a6d10239cb90a818013ec2e3858080a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c33f06b32bd9cc0bf48a4632dd7ce80

SHA1
4ba424691e01a1c7b37b1630ef620ee135f1ac89

SHA256
61afc6da5c33ec7b210e8b63f657c6724c3d0542f18be121421c7bc5fa08beb8

SHA512
43ca6f9f5f983743f852d8fa57f666a06cfd523c35131d75ea7ead989e5cc33fa5d9c5cc45b41fd91732c7539a48d20a262411ced7875d2e46b15a7a1228bd91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a524e3fb11621d30eac934917da13bf7

SHA1
60a652990563154b33dbd54d9fcfcf93c4d27dd9

SHA256
ea514bdda37f4ae622ca0babbc34519cc9a0b6aa4b40c211297863b00f122879

SHA512
e8424c058a2ade8dad84f7126cf40b687543ed8e67e336d7d962627fc81b8f8a60927814ab733dadc38f6427f3f0ab3cf705e5d874604d7d2818355effd8aaad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c901f41995bef4ef27efaf78f5061d60

SHA1
a3308675416a1084e0f31b4834a252cfcef83ddd

SHA256
ee4e0676afe491c8388b15baaca38851b6c46c7f97aeee6532d2bac26333cf0d

SHA512
62e1297936448f3f4628c87e0f90cf74fbea9643e7885577ef897b6e143f310e91199fa0e107fdae65b14bedad4d83d301f2b01e75250fa1da1932bee367f163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
68536abe4be253c657462a742a962bcb

SHA1
9c572cf680ad1a1b21acb2c0a3679393b36ee543

SHA256
008179913ecf9256ef17586557b62b49b3a7353e18fbfe9e390ae680f0319079

SHA512
5c7ff1a07a47e4a683efae2d5018a71c0fcb3509abfe0e48556a59fa9a02a52eb4ea155b6fd007bbc431a806bb0029f5376e9654f60c8d812622cde0ac78943f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72d459386c5643d34ccd65adae23f97b

SHA1
ff60a568c09266b4fd2299002aacd655dd661a10

SHA256
3612204a4add35beb3ae22ca3a61619189a0e9dde0a1f5c5dc8a35aee6140cbd

SHA512
4eb25113ac6c200cea6cf2fc3903bcf44ff6cab896f51f17a65231c4e6e2887798a66867cb96070fa418cbcc139b41d182bb6e0d730f7e8e3cf06f28f5188319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea00ce1e7ddadf5883c74cb0fbaf69e1

SHA1
883db85a6e0ff363bc8e5a10b1e4219ae0e19059

SHA256
6d0a0b15a7539b57a7fe78c1b03e9249893b469309bc752d8b871fcd93230e65

SHA512
a74431ad887c99627619ebd681a64bbae6d211a7dded9cdc67bae1823914812cdc721d6ab1f631dc8ab328155ee7d06341c17c5cc0d1290a3c5b52aa2d6c56f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4749965831d4b3b074632a55a2dfacf

SHA1
92d664b4f9826be89ec348c22ffd4d3adf5a4309

SHA256
a6b2463317cd098d047bca427a2d83f02dad671e4cde38aa5809abd1d4b41d61

SHA512
b165f45bf0fdd42a7d29954cad09c5332af714a38eeed66d8321154c496bce3520c5c78d6738b13fae4dc850b058acb4799bedb3bb72123ead551f4375120495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c3e6d75cef675e458b678dc1ca95a33

SHA1
a55b7c52e3160a0aa33069dda2fd6f9e1fc6c13c

SHA256
3fe3278eaeb07fab6c618c78b2c3496d6234434e181f0cdd5adbda1dd6601c36

SHA512
3d4f51c2990baab29a64bafdf5398848f8c454d48cf05109653fde66edce93f1fd4c18389cc26dc4a3539a975c906ca22b125a3d9b1367f85404ea10e3a31975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
590b832079b24f868a3e59bf2e7b0e44

SHA1
6e26e9a22d2ee38d857f54868226eb60541f06cd

SHA256
05649a51fb0fe5635154b2041e2e467bacee97d4d23cfd4e787e825142a1b380

SHA512
7c7769183cbd65d1181edf3c6b490976c1fa4d40f132dd3d1324270a690fc35fea8438f4e3b669d69291c51bab1cb4074d8e17ca4954d75429b152a44a701e27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12831f6b4cfc188ce3088412db18d1df

SHA1
b205f5ee70eda7807dbfa4a7f021de591546083a

SHA256
4c5614a8ff9819c5d92bb0e132decb5a002cec574ead881f9db1a4112d62c3c1

SHA512
76e6fceb5ad5736deee827a09b8d3ed3e61f3538c94c6597929066972e0e497f73205dffed0b9f658839815e0d00c656cbb17839542e4b29e86a3a9d1fcb1fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cf43aea89a3e0ce6fc2d47ea582af7e

SHA1
5daab6eb5bb3f6f9dd8b36384950498eab6702ab

SHA256
60566da32c4d947766a480f15e1af3b42a5eb8dc3a7af95e9c57b25384428a72

SHA512
7d0326dea3a39de143272f54b67f5494546199972b761fdcd5991f0b1a7bbbe85fedbb3a2f82fd54616412071e8016bb39a6fe270ce26a88d5ec591757322497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4f1f9b3968a0326c7f614431f0c183f

SHA1
d2fd385ee9e73760c86b5cdddbf46369477627c3

SHA256
9b792b253f9df67bd678e96622efca966f3d97133e0e83f0f797ec3d8a8b2a54

SHA512
5dbce66e0fb6b47e7e8436aedb09345f567d9525872017a87f7725c9a7a71c11249f8a7421f5fa764464910bfbe9705faccfffa5906d9c84452ce1a74a5df72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5e82a1ee9895032b02eb4fdd638edce

SHA1
1c607f58c009784b1a1d0727d3d6fba3ae96d2af

SHA256
436adb89d051561d2dfd627aaaae8eca54c9b8a4ac804e4b1073f691158c104a

SHA512
5180520d695ebce29fe6262238081d33b5c4ba646b80857392d364cd2756fb1166ed4e65b4416d35112af4e1904f636d484f58c792bb98a2c9341f923d430e36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41652e08e2858cf6d69095b95eace67b

SHA1
c6aa5e4c559fafab9eeff4ee629a03694da7773e

SHA256
e50edc8d46dd0afe0feb3df4a8d015983408ca1978f8eaaf7ccaa4bc6006726d

SHA512
633664f9331017ca64303a6551573ec5938a7e27b216cc94644d70198875fa29187a6cda9dff60cd51b8593bd68941f664eb9df965b5c8bbe23fdcae792f68b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90d7bbb13d267baac9cea8e7059efd11

SHA1
3f6c1c6c6c5a53c2caa9c591d4bdab5776cae066

SHA256
9ee70e83dec0fa262274df371dd8a04bbe684aec7b2d43f9ede112c81e329d79

SHA512
155bfab09fc917d12e241c2c404802e7122b0cf61fd1bcf83403809bcdb99b62ad5e74de1241a377ddac91dde1bd20c015376aec53b8fa57947c3bf1775c9f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b8ac672a338216f2dea7a895d12215b

SHA1
65527278cf46ee4b0385fc73b8c785bbd704537c

SHA256
c19c8fcf0df7a5e583f7af6c8bed11e4743a7bd15466eee9550f880b37fe108a

SHA512
3b26dd966a0a7d483dd08fcbec6fa9b139f5e0a87fa009b8e210e815976817307d0fffdca914b523acf8cf9f49775fac7a9e5fda3804dd8c8a3ea4b546c3a32e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18af437c49f686c2566bc991ed4b6e91

SHA1
287435cf37710f7337b35850d1ee27a9b4b5c0b9

SHA256
469ff93b6fc88b008dbcd68f8cfbfa0c4f9f5be82de7cac67ca813968b27bf2f

SHA512
8b3e332592c454f601750bfca01ddcb92a74a21f87ca6ce070b58efa147e97d309b97efd2ab5b71bcdf127672196142acd2503ad9a843aee1d12457d4dac1cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f022e8a91e276e2bbf7892b9c25efe9f

SHA1
56ec87b96b8bc08304c302ee7e1d6183f2196583

SHA256
9c9af04f5b5ac188c8cc6c31b0667133ed7f9c5e9dada675341db056227c2e2f

SHA512
3cacd530305c15a82b61b6f4ab406d926d2ad38a40b045460970a09d52bf6a766b62e29867619d52106c1b973151b160f7842b90425f6a90261abc85c316a6da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9ff7e3839f603d0474833dc8382bba4

SHA1
66974650b9ad5a707ea30f1d8c1f7e486ea48cdb

SHA256
75824c42d1f4cbe656746922a94e89ab27236db1729850db0614a7edf0af4fc7

SHA512
0d1fb4a9c66b89a86a9401221c87341d33c60a83a92dc87e738cd763b46a2c4124f824d0909af680f0b38aa309e729631e52a158fbe9e841272f3ba8b187a53d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2da189bc3338d09ae013bb340f04d536

SHA1
8738facfb5306dc58b8bc64f30a7883875e2a8d4

SHA256
92071d4c8d22e7ee7bf9264a9959f254b16610a13a7d6bf552003b4c68e4c6ef

SHA512
46a00fe04de8f89cb07c98f80a46b3bdd1153d5d41c8acc2c3b7675659120039ec4907f48d7d801b4af33ff3888b320096ba046bc6da6e3feccfccccdadab875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6181588c0a3841118dca46a83a59f700

SHA1
c7690107255d91159bba70c47c86e891da0c83b9

SHA256
e08bcff838d6eca8c386db23b0f6d163e9c5a7e32728a39a8bdf5847d95a49e1

SHA512
60d18debd2468785c851c10dfc9a37026480ca2939bf9ec8f5adffdd055dafcb9488d886f6ecbf4515a0ed2813a4ba6865741a4744c904fb978d4ca2f130e977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad2d9f5688363c2a55db32de0c2f6b54

SHA1
586d59a494de95fecb5d6e1d782733e86646969d

SHA256
9bd57f363186c7c498c07975f6bd31b0d4e7ae618ddc42efc967b3a84f10c3f9

SHA512
0059afd83b30d976b12af3293dfca339187e53e6ad44927059574b619449d8af882a7b92d305cff8a5aff332ba21ff9df75eab633d18c7ddc0e9cebf2ed3c3ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43b7e30334e65ffe47cb1f034c929435

SHA1
19e78308d83e7113d99efbbf7837e1c814a0d909

SHA256
2931e6ce20e69f316559e3d352131b34d7ee3c48a8b333e18264d5cff2c4f086

SHA512
6428b51014db11c18103725556cf8ad86cb0c03d49889f31142918386f79de790680b70fe4b7861415cafada9e00943c8704c4e4cc68fbfb1a638b722b32f806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbf83468bd0e0995933c5f0cae2f4b65

SHA1
d4f455a7b21882226293b7176b669070f9decea7

SHA256
c385ac6fbd9f11a38f81b0fb88fe8dd4148748a0ca9042d97fdc2d0c619c17f3

SHA512
fcd4c37aaa712f306b30d2ac75b2f15b8f297741d40924dd70c2079a6b4358d7a030cce659e6f2db7d8113a55cf99963474ab413cf5cdc731588f271ee1edb24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ca40f58f27300f32940d3681d75c8b0

SHA1
f4bc285f6749e9477097c31acaf4be1290c35f4e

SHA256
bb58d0e85c61de221f5d003d527fa106b4539ffc65dbf7a8b1b07b9bc04f270a

SHA512
cda3a139d9b406c9c2b15c87a9de2e01262e74e9b99df7c5b955bf3157b17c636711181d27c4a6298c8517491727db908d4bd31dcbc5fb1ea0476f6d93236f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1971e807ec8f319bc22b0ff555fd367e

SHA1
129f342c5ce79fad509fd3daefa3f67f4fd9de1e

SHA256
98bfc027d9ff8f17261397cfb1d4bccab00fe83db70c967f0e6f3b5b5edbbbb8

SHA512
97d0d94e656514a4eec364532b2cd9bf5a5d8ffc3ccc6bcea98c2da34372092986dd7257e1e91c9bd810173907a20eb3ea63ae0df88e030d2b9d6eb002e82928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e79602a9d875243531f257a78c30da9

SHA1
aa048bbcb8a83edc643ac439eb6194edb25acc4b

SHA256
7b1a63830b64e8e2214ef96129c83da4298279d6c5ab93d79e9b52734197baab

SHA512
73d48372c34672ed06b60aac3ca225811fb7e7f8249d05474c85b0265bfc1a8fa880ddd9d3fe11016e5fa68754f971969d7608a7018d3bf29c10185841c41a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
31881ed0419fdba9e2525a19a581074c

SHA1
649147c8de6654373d82cf0438e1ea29ba1c29b3

SHA256
9e8c60efef0fa0e43abf0a906437635b4493fb65d7d973f72e45bb228ac98741

SHA512
1e6d306e5ec0072d6f6720ebb1bfff9956b4d4f7681def5266281b195ff029245d2199bf5cccd9f172ea034db04efd10adfe6c7f7799a4850f5fe852ac9126d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
229985df179120f48a61bd4a7fef1c24

SHA1
39dd360a1c5048cc397b08b20e56c2460578d1b8

SHA256
903dc7cff8237efc2881a41bc509e5ebd6dee729aef3329221c7ab7e02e7a5ae

SHA512
d9386fabd78cf44a7ce8407b0dceded4d3bd94214cb5808a3705b3a021b6b265d5e99ac5e63791195f65ffbdf91dea3a570463949b291cd948e99f16cdfdbf93

Download Submit
C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier

Filesize
213B

MD5
dcba014f749120320da54a105cb96828

SHA1
6c468dfbf293e92aa39384c06afc2d5f4c041bc5

SHA256
2fc7dd2bb0eb53d3fa537bc79a90d1e8c9560234358fd5ffe1add9a318e8c4fd

SHA512
e0bc4dded5b37197a2c4482cb450c7136644afd37dbf06d041c63f965e3184a85aeae743f4c1b32d67b0abe72bf29c0bb5c5286d7d5d0e8f6e34bae2e09d7a9b

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier

Filesize
124B

MD5
b9b50471206d23631282f490a54ab8a7

SHA1
5d75b29c035001f20d9a5d8cef08edb5d663df15

SHA256
c004420772c1aef661f827485cde41134da819d6cedffea71428808941302ff2

SHA512
d60a8f2e4c6966345baed6a16fe4a6f75d129d8394c7df565d4c4ba9516dab5e6b9a7104d947b5f35af9ba9540740eda7b16768dadfb3a99dfa0e2f93e9ec6d7

Download Submit
memory/2404-461-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-272-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-340-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-296-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-350-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-360-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-544-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-321-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-409-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-410-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-269-0x00000000022F0000-0x00000000023BE000-memory.dmp

Filesize
824KB

Download
memory/2404-420-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-534-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-430-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-431-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-471-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-270-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-450-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-524-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-460-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-546-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-523-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-271-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-297-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-481-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-482-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-273-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-492-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-274-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-502-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-503-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-384-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2404-513-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3444-396-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3444-399-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/3444-545-0x00000000C4BB0000-0x00000000C4CB5000-memory.dmp

Filesize
1.0MB

Download
memory/3444-398-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3444-397-0x0000000005690000-0x0000000005C36000-memory.dmp

Filesize
5.6MB

Download
memory/4896-303-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4896-302-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4896-301-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4896-304-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4896-318-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download