troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master

Analysis

max time kernel
109s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 18:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master

Score

10^/10

troldesh bootkit evasion persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
776	NoMoreRansom.exe
5272	NoMoreRansom.exe
536	Krotten.exe
5784	PowerPoint.exe
2200	sys3.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-266-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-267-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-268-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-269-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-270-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-303-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5272-316-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5272-315-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5272-318-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5272-317-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-314-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5272-319-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-332-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-356-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-358-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-415-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-432-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/776-459-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
107	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "118"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599259718829059"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
776	NoMoreRansom.exe
776	NoMoreRansom.exe
776	NoMoreRansom.exe
776	NoMoreRansom.exe
5272	NoMoreRansom.exe
5272	NoMoreRansom.exe
5272	NoMoreRansom.exe
5272	NoMoreRansom.exe
1068	chrome.exe
1068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5812	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1396	1068	chrome.exe	82
PID 1068 wrote to memory of 1396	1068	chrome.exe	82
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1540	1068	chrome.exe	83
PID 1068 wrote to memory of 1820	1068	chrome.exe	84
PID 1068 wrote to memory of 1820	1068	chrome.exe	84
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85
PID 1068 wrote to memory of 5736	1068	chrome.exe	85

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a06bab58,0x7ff9a06bab68,0x7ff9a06bab78
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:2
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4496 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4556 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5288 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5568 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5776
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - System policy modification
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2452 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3240 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2352 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3276 --field-trial-handle=1940,i,18340393880642184463,11094636909003781067,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5540

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3916855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
162a62eb9d5b621c78276985058e2f3d

SHA1
460a921842e011b4f77053ca9d39b2e67e787d84

SHA256
0d6973cd1c44caec1b0784d60bb49e947b9e4727ff9a52d98f491ac7c4f955e9

SHA512
3b2216fea4195186b2656199df5dcadf9712ce52876f71abee408b3f5055c10804d28645460ed547ba5407a8988fe7cf77ae216fcf8b54e9e6a57f66952bbaab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0eb316860b7267a3e6c3d879371b759b

SHA1
92bead2a00963f2a02f106ddaf2718456babb196

SHA256
ff8895c47910b460cbf980c0a1a6497359b208f2f143c958a73fc7324ffa75eb

SHA512
424c40dc0276ee54f0e608d0057d653c25d5c4e5de238cc6ea40c3ba3cdadf5773d4a864ec9fd74b6203c1f99981181c546754cce0e9b5ef619ac94b6a5af784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2c5c38624a201babde84955e8b33ebf4

SHA1
9e37c278471552ecacdc6e22c29537ccb426bc7f

SHA256
9299e855b5b62ad43e4f697a151216cb8400f78853107acb80da5218f48cb5bf

SHA512
d6c238ed14f3d75dc3ce5acc5772c14cdc2ba602857c0deef879cb76196518e91a6809be4715fc30272a311db1517ca48c9d6242e4563cb67c1aea3ce7858a63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8aa69aa7d9c6eada234ad217ac459a84

SHA1
bac8a039ca6477bab9ad9bb3f65666d982e97a7c

SHA256
a3ffcd7b386446096baedb49fb69779396b6cbc0ef66f728bff6ae8561c793fa

SHA512
8187baaac76bb48608d7dca1f0a6de498a62a857fc412580935cd3eef06d5ee738a66fb4b3885c89c6fc8a65b0b37aa3ecef8816cb513508c99c335ef71b435f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e3278bf3909910002750af236be206c7

SHA1
22e6454543ea202ecbde0b13af1caa50f0a8026e

SHA256
643f8831ce05a1d0ad0185d93dea986dc1e29078df0177a761ef3c81316bfde4

SHA512
8d0995676d99acfc699ca4b87131cab985ff1f53fc88c17565d3a9fb9dbbf723c72910363426c1b4315564867acdc0e301e03f43dd386665f05de3b6082e11f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eb2150a6814e409228438055252141db

SHA1
910ea237d24be8574acd31a859d9ce75f0606b9a

SHA256
14b2b47ece8240f37c0a9342d87f6cb69dea428c8630abba623a61f6ef32a2ba

SHA512
2866594956cbdf524734d7e4678045bcacc98f3c4a57ecbb4018f978d50a75def69f480488a6f5296f4937087ef9c50726689463127eb21fdb023368142720ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5b0be9b8deed285233b81d8728ad2bfb

SHA1
e1ead9c0e433084e36cc8d0193f4e93ad9c22651

SHA256
c80019d9221baf867d3c0b9040642d8c05031548c3c42d28508e6aa54da03234

SHA512
68cb551631c9257125a29796552cab84b66714b9bfad4c4302103280b25898d26ed61476b230c3ef1da00eaab7b44c2453cd7799c13664f22bc49db27d9392f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
faa5143c34622b51fccc83ece4e4edad

SHA1
c0637a2f100c3af865274b8b7db9c8809b9ab513

SHA256
6b7260d897123cae1d0f460f66ced33f6c4959248610c2247b028b122e39ca1a

SHA512
28d188c90ab47f498eb4c0b0969b9a53afcc0eaf2c15adb484c8a103f1e88304f7537214fea6d452e9a426bbc6e5a6f48f9418f5f87bc5969079b75df0a9ae28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5b9619c2e106f7cca9bc0177c4352103

SHA1
b31aba1e3098b7353002d5502ae8986bae1a279a

SHA256
14c1d11da2f7d0d560e96d698bc34f19a5a8e4c3f69eebbee836a615ebebae9d

SHA512
b1b1ba40d381ab6479ea85d303de0a337a18f51de3e260959ff0b417690ec1dfc1aaf6354b74091816051d0b5ae1cec75876f6de03105a56637b6e40eacb2e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f2bf50a6eb63e7ffac4f93796209b4e1

SHA1
7978a95a31c73c6c02ddac639b29541d01cc83e2

SHA256
b457256abbda85fbb556626b4f85c61d0a2541a940302ed33f93ad1bf1f70290

SHA512
174f0965d4f4091e77c4d567513f5c611ca5e327bc12e3dd31bc9f635fc117585f9e666b7cf8bee5907c69e728ddd9319a436642441688adde20b4eee7f102c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d9635cebb14ea2eada85d56c5f022903

SHA1
2b752dc72d9b292c8756a7d0aeab72bca74db3c6

SHA256
fd229da84baa80929fff62153b9e42388826f8dbc4f0677c8e7b81e4f93775ae

SHA512
6dae2122bab695dcabcbe352cfd7a958df28dc5f2160b7f0f25f89fae798c8f196b2b14f74a5544d2044550d62bd351cc0b1dea4eb24016aa884c73d7899a048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9ef30b6dfc7c4e727fe8cb812920947a

SHA1
27b5c8a5ba41f0432e19070774d64a89d618a637

SHA256
55533794f20f535930d6406ccb1cb57133cc1db7db90ed55b11c105b43180bff

SHA512
5f8961d66f1707912633d2cc8bb167a90fd5abd9c9c3281a448659c3ef691c1de44a0c2dc6498863b9248b8644c0220fd40b49d5de9a3c95ae63edab1edf6888

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
19c0ef1b1227b76365ff8ee3016c3981

SHA1
592fc1e65aaf6785c7bb6580c513568e47b1cfeb

SHA256
01b74cc11111ed0dfdc60961e39923c0fe7c4d14652d49a567aa432d430e5c0d

SHA512
507a6589ddbf1ff59be62c4f8521f95c51d26a80228741a61dd54fb7ced9c2807e8cfdcc2a3ab91dece5c8164851d37f4f36495f7f434ebd506bf72501bf2d44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
4031775f7903ddd4bf5c4301195f3ca7

SHA1
f44e838a48349feaffbc2be67618048347b340ed

SHA256
8f76d11119aeb6de84cfcd73588aa1d6986fe28d30ff175bf90956cd3e72a586

SHA512
c1c37c79019d0ff1113d7bf886899e96fa591e5152a548ec889038631250017789fc9b1c1b162e5210f221e32b96ad7bf4c1e0c9ba775a20d4cda15db2559d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
fa3cee260c00f3356683930e948bd858

SHA1
2552810aad20294da68e083572e1a0a808457ab9

SHA256
9d62e411528bd4c0bd8e85b52668db8b02bd41869f5bbaa1d1bc546d5d9e259f

SHA512
024e8e3764d69a775a510a5095d15e42f101f61e95e0a3b929aee6a73aeedbf4d51550eee2704eef551d7e334044b997bbce01912fe66a1f5cdba0d3d5f02e5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
f9d73d08c7e1a05b7f2bf5d630883995

SHA1
f9a87cf3d0c2e95120f162a8dd83ad69628d4965

SHA256
cff9f6a7b00712db7fbd872c3848c14f9c45f2997fdc35eecc5abc3d16b69eaf

SHA512
bd82ca05fa8d515551d07347fcaa839a3199b3fc96757c1407cd286dee16d3fc7a07653e506d2ceae6e3653e7da89cca99042e5266bd835aeeaea861f2955d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
a59de075c4be6c0c934c3350029556ae

SHA1
03ae0eeb8bb70d11228dcee302ad663ccdf6c4b0

SHA256
c8e09d253ba4613c1dd4c1cd9a995d80b84067c1f1b43ea64a48bb57c77c6b0f

SHA512
c6a2b7e1d5c5b018628af869568b8c476b58f6a8bd1fc1bc26b1ee48f4bdb3e592d66687e51238a1ef7c9198c9be9a894449261ab75226cd6f9eca600a2db709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
202354156d1ba5a7e4c5660d3523e51b

SHA1
c67e03e8884e2c8be5026498440e9e04051f2f5b

SHA256
3901851360fb8abfabe9399bc7c18f4c806e454129f06017f70736d31ea9ac23

SHA512
d02336d53d9521f076b780b856720b2409661ed06d9ae35700c81cb86d633cff747cc1d358c5c31dccf45bd959cfa483e274d90af68be421a093a34658462340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d30f.TMP

Filesize
87KB

MD5
28f3c803e0665bd9b4fdbca78db365ad

SHA1
68531efdb2dd4015958cbac9f11c7b816099cf75

SHA256
f7adf3b9df18182de1761c45e30da40f04fde17b76bd144d86200307ebe30615

SHA512
c8d5557bcd369555959226502f6f4c5639fba2a5257b3f07e9a9de1d32e2c0b4f5b304b55efc52b7a680dd169f29bab56c0f5a34d8b2e4563a6cdd3419342122

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 168820.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 786147.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
memory/776-268-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-415-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-265-0x00000000022A0000-0x000000000236E000-memory.dmp

Filesize
824KB

Download
memory/776-314-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-266-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-356-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-358-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-459-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-267-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-269-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-303-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-332-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-270-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/776-432-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5272-316-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5272-315-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5272-318-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5272-317-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5272-319-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5784-449-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5784-456-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads