troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
356s
max time network
351s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/672-440-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-441-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-442-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-443-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-444-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-448-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4960-449-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4960-450-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4960-451-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-452-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-453-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4960-454-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-457-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-458-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-468-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-469-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-472-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-473-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-474-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-475-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-476-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-477-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-478-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-479-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-480-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-481-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-482-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-483-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/672-484-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
19	camo.githubusercontent.com
20	camo.githubusercontent.com
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4560	msedge.exe
4560	msedge.exe
3716	msedge.exe
3716	msedge.exe
3312	identity_helper.exe
3312	identity_helper.exe
3236	msedge.exe
3236	msedge.exe
2260	msedge.exe
2260	msedge.exe
4148	msedge.exe
4148	msedge.exe
4148	msedge.exe
4148	msedge.exe
672	[email protected]
672	[email protected]
672	[email protected]
672	[email protected]
4960	[email protected]
4960	[email protected]
4960	[email protected]
4960	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3012	3716	msedge.exe	85
PID 3716 wrote to memory of 3012	3716	msedge.exe	85
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 2024	3716	msedge.exe	88
PID 3716 wrote to memory of 4560	3716	msedge.exe	89
PID 3716 wrote to memory of 4560	3716	msedge.exe	89
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90
PID 3716 wrote to memory of 2552	3716	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf5e446f8,0x7ffbf5e44708,0x7ffbf5e44718
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1992 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1014560525267636807,272563408055257780,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
360dd5debf8bf7b89c4d88d29e38446c

SHA1
65afff8c78aeb12c577a523cb77cd58d401b0f82

SHA256
3d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef

SHA512
0ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fbbaffc5a50295d007ab405b0885ab5

SHA1
518e87df81db1dded184c3e4e3f129cca15baba1

SHA256
b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6

SHA512
011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ad87c5bdb6202a07fe8e3a9cfc00dd5c

SHA1
c9802fb45d956a110b3230efcce03af06f1136c2

SHA256
261e96f873c842b08ccb0f01426644166c475aff2a6a86df9b74950a8406f1da

SHA512
225b3d10bf887d54f7531bf3e57ada054b3b213b07e232098ab50b780b03349e5185bc186b46a9633183546c9bf3ec090b729ef68a0773699d8287108a254c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
548ad56a638f7c74144c58218f882bf4

SHA1
21dcb4644970e6f47319de4fda9b200ec2528732

SHA256
7d352d85739303325d218edad9c332058d03b40e6ad4ea84c0c2103db85c9533

SHA512
d9757b2427b667d9aed570737c11743c360adda709d583752a1e983437c07da714eb49aee48262f1fdbbd23b55ccc227501aa725b3111a980431210b868bd139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
91a9065fc7a4dd9c669d60becae362de

SHA1
ca8382482928704cb1e9e9d30a5e7189b8b64a1b

SHA256
ed3d928ea6bdeab377dd799a23bce8f730f498a1adfb25099649cbf8840a02bc

SHA512
49852adcc7c102a06353391bfb4d95228aab0c5a38ea4b1af4b7f5dcecb39fc099666b950ded521973f6d5c337cab9a8829f804a25849477e6b2ea43f6beb460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36849dbf72c00aa423ae0d2d2bfaf7a3

SHA1
a6d18acbe5a44fba04662afd705773da073b4a9a

SHA256
653c4c82b0bedf0f3583509e595664f48ef1dd807f7ea1e52eb141bae7edf83b

SHA512
91333731cb00b9601f4b94ceb4f26f06d17cf05c5efdb600e79775174aaed4986bf01ed113f3a29cdaf974d3c7c9cb547e2b7777e46bd3028ba1f232fff29000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2be73fbc1e46e27707fed8af2736e7f3

SHA1
b014ae55f2c187b4ec962856addae18bd5db576f

SHA256
a992e0c77e892cd562bfbf6fe387a6bb430bbc83cd2ceaf30c5a0413711e2fc5

SHA512
1307da92f3cd2226288191ca8635854db407e17a75109f29ddb28ede182ca318f99ec14c3a2a74b38fc014cd3e8c9c0f9b378c099871b723b5935c900a324b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ebe5188125917206157be1c592b2d51

SHA1
009e869bb1de49e6ecb8017cbe0cff84d3ce5177

SHA256
afad58521abe9b1c3e7ce9e2e1c29aae6b97a9c36072c041e559a1fc4bb17105

SHA512
cab92396af7898617f956fc8ff0f9a48159effd0e662c30b4692f4aaa54a1a097592bcc634d0fa660741ce12bab26f51bb214eabf45b1c93230d3796f50291b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d9e32340bf9e5061b6fad07f8209e84

SHA1
4d16138a692c57eb8ae2e3f7a8338a7603fe7c9f

SHA256
babb8ea5de9f494f549b1168938c272743523a7b502f7b6fde0119504196078f

SHA512
428b419f2552aef8706916c11c06de6082860396af5f2f2c58ac2b79b93f47477a8dac1c836417e53e6891d44f5d4e49da5aebf70f123ec73dc99b8474719493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de9006e3b9de27fe4666bc74ba4d1be1

SHA1
a6e39a822e8021ea4b7c04e5ae70b3fcec256e19

SHA256
5f316a80d283652fafd9a7991f51e6456babb3894e9e208836778c76baf9059f

SHA512
b6a5dad3d3799e9f33dac17e12da3160e338876bd3dfcf7a8b37890efada0714287294cbfbfc4ccac1533cd3349c3a0101402e8f6973e6ce131e74ded46350cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20028560a252d5c848d1387494b60d71

SHA1
6915c5eb1c2014c2e78e2692a90498bb2a70d9db

SHA256
10b462a542b7557de4a95e72640d386447d7879fe56499d5b5eb9e3b10f7fbb4

SHA512
6f09c6b65c97168a76cc2e8f86f59d810737c4674d2047423b4efcd95ab7a0559b658d3ea3c3a6347bbc0e8b17a9c3578af7ba422577c61b8cd20aa6292334e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d9c3e0fe73390bdd6febc845f6dc0b3c

SHA1
071330314eef170abfed21cacf5b0ef0bb6f19bd

SHA256
ca6abf69444576b3b32a15003caac323c760fb9a0fd83065970847290ec01d74

SHA512
7121910cf89883524bca9fd796c7e31d48ffaac683d474220b63890757ca91d40f23b099727407e621116e8a48f3f07c5d8961662336b2875f23ae3594335df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8653b86a88c99503278e2c8a76e5d397

SHA1
bab7d4f1dcfeecf87a6a4bf32763b8d4fe075b38

SHA256
887ade3ced305a57889ea679e14177ad6214b198675c7e8e1156186d0d860190

SHA512
4171b54485f6d4d8617ed9c95dc74a6f21da1b5961c6f4fd0cc0d621dadec8ab8e895b454116e8d60b03d09d1f1dbaba03b02169797b80bee513e22550129c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
399714373ca5f79b5a186eda71cf7f44

SHA1
5aa7f1b0af5c4afb46cc60b2f15f6537332bfd5a

SHA256
f05f8629a69521f38d94419e8ce309f8d75d68de83b44fa8d24e2cf0034e5cbd

SHA512
ba2d9e0c89c8d2222fb4fbc00ebdcb8178e128d9c910c53bece90535b0771f4d104857a57aee6628ccb13206ee8afed46f442c1589b0546298375e6106fa2cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2e8edfef66dc13a13ccc599be48e9ab

SHA1
31d05b382021a62c24f11c1cac8ee7dc26565f5f

SHA256
b4ecc379c51d4b6c8390a463928544c18a149a8544b81f4fcf1b3d16ef72334a

SHA512
ebe0270e974531d69e1be88c043a884915e7e2869e5c0a82a882045dd7ea4f99865719298a5d6c1f3c189b460982caf232a4036539a41d78f29ec1ac10a16491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bae6c09837da538785ebf831d69ab93d

SHA1
3dca001dc23a9449df4f494894940e0cfdf68165

SHA256
36b64da174c23fe13b166dc78ef01fa16a69133dfe6f2cefa7c8234b3ee77d50

SHA512
bd9beb6aad005c5112a0964bd8961e009fee0c5fc05d79d332e52a70512740d6fcde1eac65587ea63d11a6aa9d0c38bf998ad9da29550f4c6da9b0dcdd3d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4a60b2d77a4057d23dc143283dd391e6

SHA1
d192eb38decf250ce80fb403f00cd3acf6e31bb5

SHA256
79abcaac865d90960c1fb8094bd5f3e8a26f08d9f93983a404c38158a2ed3ff7

SHA512
1a1a6cdd2b56547c12ce94ad67a8db4cb2b3e1b51f2836aa8512e21727914cf995be3fa574d654712778be4a67ecdbb9eb1ba9b3dc4e05c9b499fe78be103e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58557e.TMP

Filesize
1KB

MD5
a6bd72f312b86174115efbab77c37349

SHA1
5f243e48b89b376d91b099aa9eb1a57b0aa3d094

SHA256
08d776a7bba0c63749645143ae76d78ac2c47a6943f7ef8b2161a8b19b84523c

SHA512
d74ba953d18f23e15fbd59288314f4b7b30f3a5e8b373f797900013cc7b6fc55a76a67a58c5c15200d2fb6d2f4d657cb2deb8520239e393bbeaa589df1117840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03646a367b0d0b63c0aea23831c3a9be

SHA1
b2c62deeeb0fd4818d22d66250fd361b935ace1d

SHA256
e766fc783b4fb1558c6c4f2f3416a7c5e95cb191d793e31d309a74bb33516e37

SHA512
b444afc4b1aa3a31eaee6f1e62ac4277a36b755be1fd75c6402de4d38699c5e45368217960aa4079d0d6018218689aa043f436e8006c9505ae7d410823ba0139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
646ede5f6f7c1e6feeae1b63f2722269

SHA1
af573aba0a496711e771d93c8d7b01138ac941e0

SHA256
dc64fc84272b6f592bb83f49de685d2ba516ebbd962797afb739462649880ff8

SHA512
126980160c71d9f6a15239577736fc7477a0f3c8707d277dd76ccae950b96e0679718c30413e97a0ed75c7daa8c3fed79bb494d6d6396adafd4c7fe78d695966

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
memory/672-441-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-477-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-439-0x0000000002340000-0x000000000240E000-memory.dmp

Filesize
824KB

Download
memory/672-442-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-443-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-444-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-448-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-484-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-483-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-482-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-452-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-453-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-481-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-457-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-458-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-468-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-469-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-472-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-473-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-474-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-475-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-476-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-440-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-478-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-479-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/672-480-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4960-454-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4960-451-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4960-450-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4960-449-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download