Analysis Overview
SHA256
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
Threat Level: Known bad
The file 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample was found to be: Known bad.
Malicious Activity Summary
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
Adds Run key to start application
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-17 14:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 14:56
Reported
2024-04-17 17:46
Platform
win7-20240221-en
Max time kernel
367s
Max time network
369s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49194 | tcp | |
| NL | 194.109.206.212:443 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 128.31.0.39:9101 | tcp |
Files
memory/2784-0-0x0000000000610000-0x00000000006E5000-memory.dmp
memory/2784-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-6-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2784-12-0x0000000000610000-0x00000000006E5000-memory.dmp
memory/2784-13-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-17 14:56
Reported
2024-04-17 17:46
Platform
win10-20240404-en
Max time kernel
590s
Max time network
502s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49788 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| US | 154.35.32.5:443 | tcp | |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
Files
memory/5040-0-0x0000000002250000-0x0000000002325000-memory.dmp
memory/5040-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-8-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-13-0x0000000002250000-0x0000000002325000-memory.dmp
memory/5040-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5040-72-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-17 14:56
Reported
2024-04-17 17:47
Platform
win10v2004-20240412-en
Max time kernel
592s
Max time network
460s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| DE | 193.23.244.244:443 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| N/A | 127.0.0.1:57067 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.140.123.92.in-addr.arpa | udp |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 208.83.223.34:80 | tcp |
Files
memory/1744-0-0x00000000022E0000-0x00000000023B5000-memory.dmp
memory/1744-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-13-0x00000000022E0000-0x00000000023B5000-memory.dmp
memory/1744-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-21-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1744-72-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-17 14:56
Reported
2024-04-17 17:47
Platform
win11-20240412-en
Max time kernel
612s
Max time network
505s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49735 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| SG | 76.73.17.194:9090 | tcp | |
| US | 208.83.223.34:80 | tcp |
Files
memory/3584-0-0x0000000002470000-0x0000000002545000-memory.dmp
memory/3584-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-6-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-9-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-13-0x0000000002470000-0x0000000002545000-memory.dmp
memory/3584-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/3584-72-0x0000000000400000-0x0000000000608000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 14:56
Reported
2024-04-17 17:45
Platform
win10v2004-20240412-en
Max time kernel
591s
Max time network
494s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.166.213.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:59415 | tcp | |
| SG | 76.73.17.194:9090 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.154:443 | www.bing.com | tcp |
| NL | 23.62.61.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.61.62.23.in-addr.arpa | udp |
| US | 208.83.223.34:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 154.35.32.5:443 | tcp | |
| US | 128.31.0.39:9101 | tcp |
Files
memory/384-0-0x00000000023B0000-0x0000000002485000-memory.dmp
memory/384-1-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-2-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-3-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-4-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-5-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-7-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-11-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-12-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-13-0x00000000023B0000-0x0000000002485000-memory.dmp
memory/384-14-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-15-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-16-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-17-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-18-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-19-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-22-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-23-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-24-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-25-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-26-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-27-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-28-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-29-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-30-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-31-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-32-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-33-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-34-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-35-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-36-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-37-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-38-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-39-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-40-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-41-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-42-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-43-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-44-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-45-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-46-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-47-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-48-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-49-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-50-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-51-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-52-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-53-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-54-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-55-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-56-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-57-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-58-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-60-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-61-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-62-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-63-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-67-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-70-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-71-0x0000000000400000-0x0000000000608000-memory.dmp
memory/384-72-0x0000000000400000-0x0000000000608000-memory.dmp