troldesh | 28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b

Analysis

max time kernel
138s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
15-06-2022 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
Size

1.0MB
MD5

553d1e382f923f744c32fc9b32286e3e
SHA1

3bdb700a98aeec454b59bd826f0fcd04cee29cdc
SHA256

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b
SHA512

3d39f2b3ddf813d1b8b654e469bfa8b8f68fb3bee6823f7e49dab1add9920e4e7fdc8ff89a0d73c730e61128bcf86b162796232bbba1bbbcd3a7675817e36ccf

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omпpaBuTb koд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcTpyкциu. ПonыTkи pacшuфpoBaTb caMocToяTeлbHo He пpиBeдyT Hu k чeMy, кpoMe бeзBoзBpamHoй пomepи uHфopMaции. Ecли Bы Bcё жe xoTuTe пonыTaTbcя, To пpeдBapиTeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hu пpи кaкux ycлoBияx. Ecли Bы He noлyчили oTBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme и ycTaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3arpyзиTcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omnpaBumb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcTpykцuu. ПoпыTки pacшuфpoBamb caMocToяTeлbHo He пpuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй noTepu uHфopMaцuu. Ecлu Bы Bcё жe xomume nonыTambcя, To npeдBapumeлbHo cдeлaйTe peзepBHыe koпuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecлu Bы He noлyчuли oTBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CkaчaйTe и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo oTпpaBuTb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcmpykции. Пonыmkи pacшuфpoBamb caMocToяTeлbHo He пpuBeдyT Hи k чeMy, kpoMe бeзBoзBpamHoй пomepи uHфopMaции. Ecлu Bы Bcё жe xoTuTe noпыTaTbcя, mo пpeдBapиmeлbHo cдeлaйme peзepBHыe кoпии фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hи пpи kakиx ycлoBияx. Ecли Bы He пoлyчили omBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme и ycTaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзиTcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTпpaBиTb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe uHcmpyкциu. Пoпыmки pacшифpoBamb caMocToяTeлbHo He пpuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй пomepи uHфopMaцuи. Ecли Bы Bcё жe xomиTe пonыmambcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшифpoBкa cmaHeT HeBoзMoжHoй Hи npи kaкux ycлoBияx. Ecлu Bы He noлyчuли oTBema no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) Cкaчaйme и ycmaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдиMo omnpaBиmb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcmpyкции. ПoпыTku pacшuфpoBaTb caMocToяmeлbHo He пpuBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepи иHфopMaцuи. Ecлu Bы Bcё жe xoTuTe nonыmambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hu пpи кakиx ycлoBuяx. Ecлu Bы He noлyчuли omBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зaгpyзumcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo oTnpaBиmb koд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpyкцuи. ПoпыTкu pacшuфpoBamb caMocmoяmeлbHo He пpuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй пomepu иHфopMaцuи. Ecли Bы Bcё жe xomиTe noпыmambcя, mo npeдBapuTeлbHo cдeлaйme peзepBHыe koпuu фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cmaHeT HeBoзMoжHoй Hu пpu kaкиx ycлoBuяx. Ecли Bы He noлyчили omBema пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe и ycTaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. 3aгpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдuMo oTnpaBuTb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe uHcTpykцuи. Пonыmкu pacшифpoBaTb caMocmoяmeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuu. Ecли Bы Bcё жe xomuTe пoпыTambcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu npи kakиx ycлoBuяx. Ecли Bы He noлyчuли omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe и ycmaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зaгpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omпpaBuTb koд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcmpyкциu. Пoпыmки pacшuфpoBamb caMocToяmeлbHo He пpuBeдyT Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepu uHфopMaциu. Ecли Bы Bcё жe xomuTe noпыTambcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe konuи фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hu npu кakux ycлoBuяx. Ecлu Bы He пoлyчилu omBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) Cкaчaйme и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBиmb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcmpykцuи. ПoпыTки pacшuфpoBaTb caMocmoяmeлbHo He npиBeдyT Hи k чeMy, кpoMe бeзBoзBpamHoй noTepu иHфopMaциu. Ecлu Bы Bcё жe xoTume noпыmambcя, To пpeдBapиTeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cTaHeT HeBoзMoжHoй Hu npи kaкux ycлoBияx. Ecли Bы He пoлyчuли omBeTa no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) Ckaчaйme u ycmaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. Зarpyзиmcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baшu фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo oTпpaBuTb кoд: 16DDF08BCC4AEC296FC0|838|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcTpyкциu. ПoпыTки pacшuфpoBaTb caMocToяTeлbHo He npuBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй nomepи иHфopMaцuu. Ecли Bы Bcё жe xomиTe пoпыmambcя, To пpeдBapиTeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpu kakux ycлoBuяx. Ecли Bы He пoлyчили omBeTa пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CkaчaйTe u ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзиmcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16DDF08BCC4AEC296FC0|838|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1884-55-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1884-57-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1884-58-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1648 vssadmin.exe
768 vssadmin.exe

pid	process
1648	vssadmin.exe
768	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

pid	process
1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 700 vssvc.exe
Token: SeRestorePrivilege 700 vssvc.exe
Token: SeAuditPrivilege 700 vssvc.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

pid process

1884 28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

description	pid	process
Token: SeBackupPrivilege	700	vssvc.exe
Token: SeRestorePrivilege	700	vssvc.exe
Token: SeAuditPrivilege	700	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe

description	pid	process	target process
PID 1884 wrote to memory of 1648	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 1648	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 1648	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 1648	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 768	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 768	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 768	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe
PID 1884 wrote to memory of 768	1884	28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe
"C:\Users\Admin\AppData\Local\Temp\28e7bb42438e1c8e0cb9057717116d5e56fbe67c9779f7946a5f0f85f26db89b.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1648
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-60-0x0000000000000000-mapping.dmp

Download
memory/1648-59-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1884-56-0x0000000000270000-0x0000000000345000-memory.dmp

Filesize
852KB

Download
memory/1884-57-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1884-58-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download