troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom[.]exe

Analysis

max time kernel
155s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2025, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom.exe

Score

10^/10

troldesh defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	400	firefox.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	NoMoreRansom.exe
2552	NoMoreRansom.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
8	raw.githubusercontent.com
10	raw.githubusercontent.com
31	raw.githubusercontent.com

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1548-483-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-484-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-485-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-486-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-487-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-497-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-498-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-588-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-590-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-594-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-598-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-600-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-602-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-603-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-604-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-607-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-610-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-611-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-612-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-615-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-621-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-622-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-623-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1548-624-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1548	NoMoreRansom.exe
1548	NoMoreRansom.exe
1548	NoMoreRansom.exe
1548	NoMoreRansom.exe
2552	NoMoreRansom.exe
2552	NoMoreRansom.exe
2552	NoMoreRansom.exe
2552	NoMoreRansom.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	firefox.exe
Token: SeDebugPrivilege	400	firefox.exe
Token: SeDebugPrivilege	400	firefox.exe
Token: SeDebugPrivilege	400	firefox.exe
Token: SeDebugPrivilege	400	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 4600 wrote to memory of 400	4600	firefox.exe	81
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 4260	400	firefox.exe	82
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83
PID 400 wrote to memory of 3092	400	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom.exe
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27689 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ccd03d-6ccd-43d2-b7cf-b49985ef8fc4} 400 "\\.\pipe\gecko-crash-server-pipe.400" gpu
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 28609 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {466a27dd-7fa3-4a4f-8f2f-6f18e2a9e9e7} 400 "\\.\pipe\gecko-crash-server-pipe.400" socket
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3312 -childID 1 -isForBrowser -prefsHandle 3304 -prefMapHandle 3300 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c383a02e-5454-41aa-8c78-42dc0810592c} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
    3⤵
    PID:1948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 2 -isForBrowser -prefsHandle 2888 -prefMapHandle 3256 -prefsLen 33099 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0fac814-628a-4ce6-83db-8ead7a3d6db7} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
    3⤵
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4784 -prefsLen 33099 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15c2246-04b5-416c-be69-28f05c1af1eb} 400 "\\.\pipe\gecko-crash-server-pipe.400" utility
    3⤵
    - Checks processor information in registry
    PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 4460 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cae3e66-a065-4e80-aeac-8c4bf83569b2} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
    3⤵
    PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479a5b6d-4ac9-44a7-aae9-c4c36869cb42} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5936 -prefMapHandle 5940 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9930539-13b1-4ddb-9850-3d7a62fd2467} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
    3⤵
    PID:668
- - C:\Users\Admin\Downloads\NoMoreRansom.exe
    "C:\Users\Admin\Downloads\NoMoreRansom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
65c6ed9b39ef3eb21021c8d787719495

SHA1
0e8f3745659b409b422720f941f37e6a70492711

SHA256
2b6548a9ecf0738df96e8c144e550adada41a323cd9971748c50cc99d3314b78

SHA512
81227ce7ad7e2178945df6501b6b68861918824308ad13fabe6c91c2f17e7e0f814afa5123042e819977d354f94773fd9161b5dcb90f4b9516a4139e43ac8942

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\AlternateServices.bin

Filesize
8KB

MD5
a6b4ab7bf1fc3a76de1a8c60712ce8d3

SHA1
d7e536194c284866eb465ca404be995678da7cf4

SHA256
8402ae2ed363f378daec9fa053080050e2ecdbed5c599c98a313ae27a10fc707

SHA512
94a055e82ac97edf3966dd6482fef8fa8f0cdbd15a9af925a444401d695c93e53324791dd9337a3f9da2f13e078219b5aadadd35788bb15b67061eefb35f65ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7e1b3fca5cdf440e577952e91a385112

SHA1
8aabba611a35b3fd8c2b09f7b5f4a2ba5f115121

SHA256
4a48a8509443cc1b51e45b44726068a6d655290319ab518ac65b2fc6dcdd02da

SHA512
c7db485be8a1334d2ac14fdd86325bd198c2cb931c8fe71dd1b93742e3c2164774464157b29af8e638b79eabf7637b71e3e22b6900a617c12828d18b80db7666

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
078439944d5fc675b8037347afeb1bff

SHA1
2dd550bc22cf8b71429402cfd38d15710306bf33

SHA256
fb2ac3e961b5c0fa44ffc010da55b8f7a0c2b88e8520f17d9409cf2322872dad

SHA512
1bac8e2e3172fe3c83285c21b0175853f5db178db27a1ccaf28f710b198a2ce3d318ec2cedf2a5edeea418eae829933ff4ba4e34f697cabf811e95e93f06e5dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\8353853d-0622-4f65-90d1-505b0cb387ea

Filesize
671B

MD5
3b8a2b864b46caf0298943632d597528

SHA1
1ac3b2737888e5bfba45fc9916be81b3fbf41bcb

SHA256
191aaea782ba13a9e5b9a30e43947c6b974ce4d8bf7fc755b5c60957e27d6341

SHA512
7146de0dd15fa3a177e7d70d897321b429daab4576f457cdecc50b80d7c4f991a84c7a2735583adb9be16fd95bd50da8ce1dfed469af05fd18b171ccdec6ebd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\c5430c15-5ce0-49f9-adf3-e1303e03671d

Filesize
25KB

MD5
8538f430b04d783b248fc41c0389ca8f

SHA1
0c24e66e42a0c1a79debf7aef972af9659925aa8

SHA256
8422ba18adcad32aa230e4a155d90188f066c2c429c2f7751fc862c3e668e3f6

SHA512
9749eefef6109ff5dd30ee0f6fd3e1f1b27746b8ae142cbf930ba795510116f3c2d5793a9b3c3d134a53497ef07941ee920c880a0bf52c7b3d8b4f59d69c274a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\d36b98ad-9857-44e1-844e-15974463edc9

Filesize
982B

MD5
f8adcd340f15c9ba1c2e5330499f5754

SHA1
209c50afb6f5ef86342cdd794c38c7dae31838c4

SHA256
2ce2ca8bb3b93009a0ef68b53fef5afce5030de3f273148e3133b1c8dc5f10bf

SHA512
f23f4229eb40971f09d67a4b03d28188a9ee4f49169dec5728a55d0f59b9d50e81193f87f4e9ac44c4c4355e36c509ceaa25e53d221f43cdd6fae21ec0ef525e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs-1.js

Filesize
9KB

MD5
2340a7279aa00bf3d396e94f957707ac

SHA1
e63dc3319a779771b92458814211f89e64a4dbe5

SHA256
770e014eedd3e78702f1ffb67dab3199ef647b6b41d2b6a2fd52727c00dcecf3

SHA512
b008596ef23b2fcacf46ded87e2faf3d8e84030556590c1c084044add32e73f66c365db218266fb483bd46c56b3eba4f72297361ccd2489648fa0e2c22f324ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs-1.js

Filesize
10KB

MD5
84da73fd472bc35264f59f0aa7a579c3

SHA1
5ad7d4ab730d4fe187d5f9e51726592dbf0f9646

SHA256
21b219b740b97ace593002aa277d18981a230a12933b22513cf8c4448f496fde

SHA512
e40e478fa78d3e9ad56d6419212e8f6c6ae68d4128d1398d7dff37c15b9ed2b7309e8db58f8d1a92b5f1421f36635e8fdb9ff8ed5d640e71a677fe768f40afed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs.js

Filesize
9KB

MD5
af202c21913ee0c8de3a167609e37acb

SHA1
31e12a65335691b341cbdc7b0ebd6af141220886

SHA256
599d733a193d02014e46d96ba9cf3e7015f277e299b25325c22ef469877d0d42

SHA512
1f0ae96982cfd7c1cb607b5260292465b49491d00a03c70340e2ef521f844469b085f8505b5b94c973755831be285ae48513411cafecdbef262bcb03f5831b5b

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
memory/1548-484-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-611-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-497-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-487-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-486-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-485-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-483-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-482-0x0000000002430000-0x00000000024FE000-memory.dmp

Filesize
824KB

Download
memory/1548-588-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-590-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-594-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-598-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-600-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-624-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-623-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-622-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-621-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-615-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-610-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-498-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1548-612-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-607-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-604-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-603-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-601-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-602-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download