troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
1800s
max time network
1691s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-04-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4176-331-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4176-333-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2552-368-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-367-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-369-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-370-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-371-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-375-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-376-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-377-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-378-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-379-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-380-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-383-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-384-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-385-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-386-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-387-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-388-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-389-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-390-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-391-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-392-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-393-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-394-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-395-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-396-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-397-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-398-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-399-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-400-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-401-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-402-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-403-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-404-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-405-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-406-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-407-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-408-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-409-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-410-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-411-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-412-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-413-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-414-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-415-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-416-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-417-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-418-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-419-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-420-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-421-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-422-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-423-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-424-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-425-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-426-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-427-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-428-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-429-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-430-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-431-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-432-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2552-433-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	camo.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\FD90250FFD90250F.bmp"	[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-100.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\604_40x40x32.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-150.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png	[email protected]
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_48x48x32.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Diamond.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-200_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-100.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_32x32x32.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-100.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\pyramid.jpg	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-200.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sy_60x42.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.contrast-white_scale-125.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\Logo.scale-200.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-400.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page3.jpg	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-400.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-100.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-125.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\swear.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\sadsmile.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ProgressBar\progress_foreground.jpg	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-80.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-100.png	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	[email protected]
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-150.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-200.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\mail.config	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_32x32x32.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48.png	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated_contrast-white.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\incoming_contacts.wav	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Tips_2.jpg	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\LargeTile.scale-125.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\um_16x11.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\commonassets.xml	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_bronze.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-256.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mz_60x42.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-24_altform-unplated.png	[email protected]
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\SmallTile.scale-125.png	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
844	4176	WerFault.exe	90

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2508	vssadmin.exe
696	vssadmin.exe
724	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
896	chrome.exe
896	chrome.exe
2552	[email protected]
2552	[email protected]
2552	[email protected]
2552	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3068	4160	chrome.exe	72
PID 4160 wrote to memory of 3068	4160	chrome.exe	72
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 2164	4160	chrome.exe	74
PID 4160 wrote to memory of 4564	4160	chrome.exe	75
PID 4160 wrote to memory of 4564	4160	chrome.exe	75
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76
PID 4160 wrote to memory of 2364	4160	chrome.exe	76

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d2959758,0x7ff8d2959768,0x7ff8d2959778
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2836 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4712 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4456 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3636 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1752,i,5170721582547449270,3398383602722994593,131072 /prefetch:8
  2⤵
  PID:2644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xyeta.zip\[email protected]"
1⤵
PID:4176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 496
  2⤵
  - Program crash
  PID:844

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2552
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:2508
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:696
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System32\xfs

Filesize
107KB

MD5
4a3b2baa1b3ec955d78c42809ea150a9

SHA1
5bac0cb8e352944cec143f0a5b7b2cecf20b7bbb

SHA256
817506ee9b3e5237d10711ee3f0d8c4ff55d12005c1582b3e273c4a0433dd058

SHA512
d66e5b856d6fe3f34fd68476f84e7356bc8212296c35aca323cb5bb39dc6e8131360f0e526642d01ec7d826651015e0a399b953a50389166bf7d8a018666a2c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
432B

MD5
893ce759bb250d8c8d5cc43fea6db0c9

SHA1
1bc23a0289aa9debaec4899cb283b82374adaf10

SHA256
6ecdf077c1953c32aa6d694976130087fd471d089986b79fc4322540b898ee43

SHA512
c4c9808cc0b61f51d6b8716b77b249a809f44e3017e93907ddcd6a318f8f3749f8a782bf6a948b50af801061115d6f2a5c386f2b5e37bb5b33aa97ffffb3e503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
86e7d44a4a00985c8f16987c34c738dc

SHA1
790f9616f9b9673927ad68d049a3e6c511f06f57

SHA256
d0e04c75e647fb1bad82a09657a20aeb75633347e7475624c5ce63f635bba004

SHA512
880b244c9b6580d951b3aae87a169ea89e4dcd8540f8dad5b7ffbb02698a78ce81b4df4434f2df8d6e170ab932e12b018c5c5e795bcca84ed4ec69645ea0a006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
20ca315d1e0978f98706f131783616a8

SHA1
cd71250fdd1a12b04326d215917640970f177936

SHA256
9be9bcc9f214c2328f9acd17a8204aa4bf4dc40ec397b07b4907cb738746021f

SHA512
37551a2ad54627506c8fd5b2abbe1f14dd31538efd3c76337c8cbd7d448adad2bd373a14ab6d6288e5865e85c4bcb5f0c43d341a29a732cb95edf07a6d389181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
74871519c54b3c1777c0174d38f50dbc

SHA1
db456b3c8442b2911e7ca6d6597bd10f7667ee99

SHA256
e79c17497c6413db1e85b9641df29a0e82386a5288d1a66718ce4aae2a01bcb2

SHA512
9edcf2fbad58cadc6e770d7dd37eb5de15c6a03fa96be302e4ee2d4d599c28300f2c42c9ec8d67f6bc568b28c82a8d8971598c69da5cbeb11417a4823bae483a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f45dc44d06c72b09585eb21ee9c2a6e1

SHA1
2f6fa7089b56c470ce646c50cd889d68cff3c656

SHA256
ce948f34aa31d00183606edeb2d710b1074874212d04b629ebec212ae8bb63d1

SHA512
3d2f440f9ce61052623369b2d210e8c6cc756673a32608ca13656b965d414f5aa082378a74fc3059fae72f12b26faac9650c403fb925e72076b6d75b2c5d57b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a305e5f438e60076d65f7ecad7cf1dc2

SHA1
d18620222630ef0012951d14b79bc1275545f98d

SHA256
4e234c1fad059ef47c74b56e381a000c419db015572b7858eca05ddd2b859b50

SHA512
f84c91a564b0d293962f1662fc971b0dc225a9554e7c5a7e0ed75ad2a63a56ba7e02a05c7543b7d791f134ef30a5968934283c567393467afad1e22e777f6cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b8e03d0cea8fe92596a4deca00f508b

SHA1
c744d11ccc975a9f7e268f8431bfd84b309d7abc

SHA256
7da6dfbbfb9c439e755ab9bec3fa9c81daa32f248f425b74935d528c31d91524

SHA512
47efc227c0a4a82c403f70317e4241b2af1c58b525d1fe0b010b7f5698b99991b165036410e77f25f92991e96729c8e1382c0f929be38bf60f80f662b89333c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8bd77d2e256914f325cd6d8542843eae

SHA1
726349d60459bd743f9ef93ab62e8d042baaae9d

SHA256
853eccbc18113755aec5083ff321aa5369911b4152a3f695b82c5fd77c535cf7

SHA512
d583387b6499dd8e3d72d20c592e90c302fd3b781df06e381a4742198ccdc9a729383f57069399569ff030b577a408a5307e93351c4af3e3f3b79f925fc92247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ee735ad620e4d59d5a14c78886337e00

SHA1
82c97777a3d8b1b5273f57d7fad2d7e4d4fac96b

SHA256
1424b14bc4b78dc0954ed7e9e85d7e9634ad51b3057870b6912e461829d3bdad

SHA512
f47704daeccdf98caf172157a4b090c699fdcfee161bf0179b02f78c5705d27ca5a1153c3fa1d5d0cfbe977a3a9cd119f2570924c0afa4effba57e2908784f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c2da96dda332be40f8c6a90e979d47e

SHA1
ccf4a90a3aae20cc2dcde1894e464d6a9209aa2f

SHA256
9ab5092468a068fbff36029d6ae730a19fa2cf3e748c3b768176745d3ab7b83f

SHA512
12cc22c4b9f5d4d6b5dc2029f9d07cdfdb3982c6dad5ef32fd6974e3239661e66fb33853667596f20f429c2fd3844e7e723e836018a2f7160c1665264cf9848f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d52e6806f60fd1a663388d6ba30c0c5d

SHA1
ee55779887f08bfb3300accec5de57e6ef533506

SHA256
8bc58b837e327bb306716139a7cea7be61314c144d91a88fd7ff582ea0ed11a2

SHA512
e62b690669579b6b66bf305eeeaa04d7e69758313b569c3b09b01ebb611edaa4cd4f996ed992e13e15c167f887143fac6be64480db53c286aa79d1d51a4b6c27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
47a26c265b50bc5904e2409c895a5d84

SHA1
3aeb6ccf9cec067a26a02a60dece88609242723f

SHA256
2eb65f4971459e115e25d4c902074b766affeb38ab6489a10d518d9ac5c5e490

SHA512
40c87f58e3c4a33a105f124897640e88fb21761b29c6215cb1a0a0d56e4dbc4b4e354864637e9f7d62f415ec250948052863c01f67474a8bb65790a89b427872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f4af37772a0229c0e96b350a8fe9c673

SHA1
955709854d606d6c435f70009a57a18a64702853

SHA256
46019cbcd9568de60c8b4c1a9ed4f66bb0ba6e14e45a720813eff0d5621688df

SHA512
c863ff7dca8f99f24f11d8c809aa34e70e73d6ae6b2b4662cc40e71c839f9f449ec85c3bda0de7e589c63ad9e2a757f0b83262593212ddf2d84aa08d26776391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6e6d7a2bdbe3207fe922c15a7922e44

SHA1
4d53761c84dbfb550ca2d55758c80849470ef198

SHA256
d754f87f557e84aa2d1d2d319f25281a7b66114d77f4a61160a80c2f0d5858aa

SHA512
90174b293d128bb49cf65ea3193e7ca448a60406f376b0cff59ff8b1591d5db4a82a0c3d06e9686dbd938b708c347eb4cd6251e1c71e2526738814c1386752e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
667696c479f6c2cc9ef00a9ca9c39ba6

SHA1
ff7980aef876e205886304dc279080a17aa026f1

SHA256
fcb10774f346f4b73b7f5585941b84f88da0766007756dd7bcbebac9c7029bca

SHA512
44edb81b14e16e4a9ce7d8a8e71473765abcc7d18a32531adec19ee9d6821b70df82caff3c7ddffea5d080e8a74ff537e856af3c94caa1525b6114cf450e84b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9cb53d1a206364ca27159e1e44fe50b7

SHA1
213c14e2809c714fba5043072ae35c3f2f884ac2

SHA256
8506f8fae50fe53a939cf8008118e91ebf31e53c978a7e6c8e64814b4f990973

SHA512
51c933da6de3fb71240a949ea1ad020bc20ab447c6144683fbac6481fd097789a1bef9a293a19f07fb28c353aeb660d3559512378075c5ca9b15a7172357baad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
6e09867640bf213c42e6785828efaed6

SHA1
67ffc4ff6509c8d6d40df9285ba6307fd75c73ca

SHA256
da63f0ece24cd48f86e347ba8274ce1bebebcd736c291521d2e92ee4241a8487

SHA512
f94db294a7361dcfc23f36846291ac24c04b41d3790c40d5e8d59f0e4059ae33152dc35a48644527935706f405ddf2dc17441dcea7dc542b81e345ad52beef35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
55aa320bdc9005092c3ec7c9af43ba23

SHA1
31c8dd6fccc76e7097b64caafe4433e7b1ccbe38

SHA256
85db1f111c845a15664bebea103f0bcfe2c7fda21bce76be51aa1219217b595a

SHA512
6c25edaef7ceeb98ba2893730b50bf8401dbf57c2bddf971cb3f5c78c18c5ab7c5d0a1066851331c6d7e6f872acf12c2f0ed45210bc159025a589fd0da46473f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
36ee39e818dc4ab06182ec55daca9c9e

SHA1
7c0717219f1fa1f976f56958c5279610dc1c6280

SHA256
b849aa3acdcadd6b7c67434a901456c926c0ae6e2493cb4b898b25162cc9639f

SHA512
d8d43eede7646cb148a12ee898e2d99257ce2ab5b4f45c3373b5508b55633d413dcbd022c638eba7311aa622004744314b16bcc03b9954e247e6501375ac2fe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d9f0.TMP

Filesize
93KB

MD5
60e87a46c465a1dab7d9ad73495d5ebe

SHA1
8710624f9bfd39a05d2f27b66d75bbc266b86591

SHA256
3dd2abdaf263ba5065c741e204dadfe672db08fbdb045c2e7238b937caa81d13

SHA512
3052105444a244cd608e9034e5ff41f5e14e9d45663128fc50834c5809cd6cea746a06325234bd947fde50d71434ec2577839d287bbc3efc9d924568bd17b6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
e512f03957f95807cca75f0e48e4d0a5

SHA1
a3ea519b66eb68b3f39cf4e592a54715375151ec

SHA256
0ab40163b22b1572463d21f5a5f16a54ec1bad006aa998495a856e3b10ce8493

SHA512
39c7b97fd9c62d041f3e7f9f8ef472fca6d38fa19a3bd01f69b8b44af723dd9f3e785f2899848dc9f39fef191af1140eec5f4ab59ec638b05657779657c9cb13

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\Xyeta.zip

Filesize
75KB

MD5
2e790095f8d6bb294112966470fd8d2d

SHA1
1f1894cc7a49a2cbe2a6e6d3b6dd9f692ba7b955

SHA256
bc70f420b0074b1a8fe8fb9696de2995bc396219a5cec74bf925ea394fe13bf7

SHA512
f5c912be7fe09d1706dbc31e5b8cbf49646f3504eea969cab9b58ff8c77baf11018fee2ae7b8d0ee77c18dd68821ffd0720ca980194cbd507d36c90c4b25c450

Download Submit
C:\Users\Admin\Downloads\Xyeta.zip

Filesize
75KB

MD5
213743564d240175e53f5c1feb800820

SHA1
5a64c9771d2e0a8faf569f1d0fb1a43d289e157c

SHA256
65f5d46ed07c5b5d44f1b96088226e1473f4a6341f7510495fe108fef2a74575

SHA512
8e6b1822b93df21dd87bf850cf97e1906a4416a20fc91039dd41fd96d97e3e61cefcd98eeef325adbd722d375c257a68f13c4fbcc511057922a37c688cb39d75

Download Submit
memory/2552-393-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-407-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-369-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-370-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-371-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-375-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-376-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-377-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-378-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-379-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-380-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-383-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-384-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-385-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-386-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-387-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-388-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-389-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-390-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-391-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-392-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-368-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-394-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-395-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-396-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-397-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-398-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-399-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-400-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-401-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-402-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-403-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-404-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-405-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-406-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-367-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-408-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-409-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-410-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-411-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-412-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-413-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-414-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-415-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-416-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-417-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-418-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-419-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-420-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-421-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-422-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-423-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-424-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-425-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-426-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-427-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-428-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-429-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-430-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-431-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-432-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-433-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-434-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-435-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-436-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-366-0x00000000021C0000-0x000000000228E000-memory.dmp

Filesize
824KB

Download
memory/4176-333-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4176-332-0x0000000000580000-0x0000000000583000-memory.dmp

Filesize
12KB

Download
memory/4176-331-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download