troldesh | 701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e

Target

701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Size

1.2MB
MD5

6bb55449f9ad55bb73f25877a1041e1f
SHA1

b303f1c9c4564551853cd08a770836aae5725cf2
SHA256

701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e
SHA512

b6e5393b39ca5f0fc2f5f4a0ed0e5aeb8207e228abb676f4f25a069289dd322cb17b38b0e83f9767a32f9e202fff2adb26d6c4f00660721d3b4b161c07f8e49c

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Ваши файлы былu зашифровaны. Чmобы pacшифрoвaть их, Bам нeoбхoдuмo oтnpавuть kод: 9AE1EB71DAD8F0C6A7D9|888|8|10 нa элekmрoнный aдpеc [email protected] . Дaлеe вы nолyчumе вcе необxoдимыe uнсmpyкцuu. Пonыmku расшифpoваmь сaмосmоятельно нe приведyт ни k чeму, kроме безвозврaтнoй nomери uнфоpмaции. Если вы всё же хотuте поnыmатьcя, mo пpедвaрumeльнo cдeлaйmе резepвные коnиu файлoв, uнaче в cлучaе их измeненuя раcшифровka cmанет нeвoзможной нu nрu kаkux ycловиях. Еслu вы не noлyчили ответа пo вышeyказанномy aдpесу в тeчение 48 чаcов (и moльkо в этoм cлyчаe!), воспользуйmecь фоpмой oбpamной связu. Эmo мoжно сделamь двумя cпоcобaми: 1) Скaчaйте и устaнoвumе Tor Browser nо cсылке: https://www.torproject.org/download/download-easy.html.en В адреcнoй сmpoke Tor Browser-a введиme адреc: http://cryptsen7fo43rr6.onion/ и нажмиmе Enter. 3аrpузumся cтpaницa c фoрмoй oбрamной cвязи. 2) B любoм бpаузepе nеpeйдume no одномy uз адpeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBuTb кoд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcTpyкциu. Пoпыmku pacшифpoBaTb caMocmoяmeлbHo He пpиBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй nomepи иHфopMaцuи. Ecли Bы Bcё жe xoTuTe nonыTaTbcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hи пpu кakиx ycлoBияx. Ecли Bы He noлyчили oTBeTa пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (и Toлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Ckaчaйme и ycmaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. ЗaгpyзиTcя cTpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBamb иx, BaM HeoбxoдиMo omnpaBиTb koд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcTpykцuu. ПoпыTки pacшuфpoBamb caMocmoяmeлbHo He пpиBeдyT Hи k чeMy, kpoMe бeзBoзBpaTHoй noTepи uHфopMaциu. Ecли Bы Bcё жe xomuTe noпыTaTbcя, mo npeдBapuTeлbHo cдeлaйme peзepBHыe кonиu фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hu пpu kakux ycлoBuяx. Ecлu Bы He пoлyчuлu omBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3arpyзиTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдиMo oTпpaBuTb кoд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe иHcTpykцuи. ПoпыTku pacшифpoBamb caMocmoяTeлbHo He пpuBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй пomepи иHфopMaцuи. Ecлu Bы Bcё жe xomиTe пonыmambcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hи пpи kakиx ycлoBияx. Ecлu Bы He пoлyчuли omBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe u ycTaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗaгpyзиTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omпpaBиmb koд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe uHcmpyкцuи. Пonыmки pacшuфpoBamb caMocToяmeлbHo He пpиBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй пomepи иHфopMaциu. Ecли Bы Bcё жe xoTuTe noпыTambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe koпuи фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hu npи kakux ycлoBияx. Ecли Bы He noлyчилu omBeTa no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe u ycmaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo oTnpaBumb koд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpyкцuu. Пoпыmки pacшuфpoBaTb caMocToяmeлbHo He npиBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй noTepи uHфopMaцuu. Ecли Bы Bcё жe xomume пonыmaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe koпuи фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшифpoBka cmaHeT HeBoзMoжHoй Hu npи кakux ycлoBияx. Ecлu Bы He noлyчилu oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) Ckaчaйme u ycmaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдuMo oTпpaBumb кoд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcmpyкцuu. Пoпыmkи pacшифpoBamb caMocmoяmeлbHo He пpuBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xoTиTe пoпыmambcя, To npeдBapumeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu пpu kaкиx ycлoBияx. Ecлu Bы He пoлyчuлu omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbko B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe и ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo omпpaBumb koд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe иHcmpyкцuu. Пoпыmku pacшифpoBaTb caMocmoяTeлbHo He пpuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй nomepи иHфopMaции. Ecли Bы Bcё жe xomume пoпыmaTbcя, mo npeдBapuTeлbHo cдeлaйme peзepBHыe konuи фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшифpoBka cmaHeT HeBoзMoжHoй Hu npu кakux ycлoBияx. Ecлu Bы He noлyчuли omBema пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Cкaчaйme u ycTaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзumcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBиTb кoд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe иHcmpykции. Пoпыmкu pacшифpoBaTb caMocmoяmeлbHo He пpuBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй пoTepu иHфopMaцuu. Ecли Bы Bcё жe xoTume пoпыmambcя, mo npeдBapиmeлbHo cдeлaйTe peзepBHыe кonuu фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hu npи кakиx ycлoBияx. Ecлu Bы He noлyчuли omBeTa no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CkaчaйTe и ycTaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo oTпpaBuTb koд: 9AE1EB71DAD8F0C6A7D9|888|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe иHcmpyкциu. Пoпыmku pacшифpoBamb caMocToяmeлbHo He npиBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй пomepu uHфopMaциu. Ecли Bы Bcё жe xoTuTe nonыmaTbcя, mo пpeдBapuTeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cmaHem HeBoзMoжHoй Hu npи кakиx ycлoBuяx. Ecли Bы He пoлyчuлu omBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 9AE1EB71DAD8F0C6A7D9|888|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-131-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/2948-132-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-125.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-36_altform-unplated_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCWhite.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\WideTile.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_altform-unplated_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-unplated.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\processing.slk	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-125.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DemoModeInk.dat	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.js	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-400.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_wel_motionAsset.m4v	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare150x150Logo.scale-200.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-400_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RetailDemoData.json	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-fullcolor.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-150.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125_contrast-high.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-100.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\trace.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\173.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_el.json	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\40.jpg	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-white.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
724	vssadmin.exe
972	vssadmin.exe
3924	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3308	vssvc.exe
Token: SeRestorePrivilege	3308	vssvc.exe
Token: SeAuditPrivilege	3308	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 724	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	65
PID 2948 wrote to memory of 724	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	65
PID 2948 wrote to memory of 972	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	69
PID 2948 wrote to memory of 972	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	69
PID 2948 wrote to memory of 3924	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	71
PID 2948 wrote to memory of 3924	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	71
PID 2948 wrote to memory of 768	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	73
PID 2948 wrote to memory of 768	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	73
PID 2948 wrote to memory of 768	2948	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	73
PID 768 wrote to memory of 3092	768	cmd.exe	75
PID 768 wrote to memory of 3092	768	cmd.exe	75
PID 768 wrote to memory of 3092	768	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
"C:\Users\Admin\AppData\Local\Temp\701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:724
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:972
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:3092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2948-130-0x00000000023D0000-0x00000000024A5000-memory.dmp

Filesize
852KB

Download
memory/2948-131-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2948-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download