Payload — Technical Analysis (Windows)

This report provides a reverse-engineered technical analysis of the Windows 'Payload' ransomware (SHA-256: 1ca67af9...), describing its build, IOCP-based multi-threaded encryption using Curve25519 key exchange and ChaCha20 (AVX2/SSE2/scalar), file targeting and footer format (.payload), recovery-inhibition (vssadmin deletion, recycle bin emptying), extensive process/service termination targeting backup and database software, ETW bypass, NT native API usage to evade user-mode hooks, self-deletion via NTFS ADS rename, and associated onion infrastructure and ransomware note details.