troldesh | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Analysis

max time kernel
64s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15-07-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/996-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-24-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-34-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-64-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-90-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/996-210-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133655122419165120"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	[email protected]
996	[email protected]
996	[email protected]
996	[email protected]
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3216	chrome.exe
3216	chrome.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	taskmgr.exe
Token: SeSystemProfilePrivilege	3432	taskmgr.exe
Token: SeCreateGlobalPrivilege	3432	taskmgr.exe
Token: SeSecurityPrivilege	3432	taskmgr.exe
Token: SeTakeOwnershipPrivilege	3432	taskmgr.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: 33	3432	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3432	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4540	3216	chrome.exe	87
PID 3216 wrote to memory of 4540	3216	chrome.exe	87
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 5036	3216	chrome.exe	88
PID 3216 wrote to memory of 2220	3216	chrome.exe	89
PID 3216 wrote to memory of 2220	3216	chrome.exe	89
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90
PID 3216 wrote to memory of 2416	3216	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc4d8cc40,0x7fffc4d8cc4c,0x7fffc4d8cc58
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4292,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:4448

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
c169c46d81d930738c59e307a9385a4f

SHA1
5d37f6de1d40faee210ab8ff99f5a61121ce8add

SHA256
952117e2a7cf8613ce56c7d6e0c61a46030e38515b485b9cb3e0c9a9d7a5d91d

SHA512
1c4b4269e97758ade38fe83d803ee272a3bd5d19ae1ba886bb81cd30ef72eb7af7026c7a0b2fb20298cd2a9ae0ca082614369dcccf3c661144aca07aa07f1ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5059f1105c9a7a0b52a35ff99eba9b56

SHA1
e3b5280e1160a6253252dd7042aa2aa3f53dce22

SHA256
6ac13a9f86ce7562f090b65d3d2d998d569d19da6b4d0ae02ecbb5091fb66810

SHA512
8a727beff028eced21af16e6140497174188384b332f7bb436fe65defc9735b37e05616bc71b7bff0f9133cf7b9fccbf17d9521080a1e2acae752a64259a2260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c40ac670fef48bfc3342493d55593b77

SHA1
5942feb5d7b715985a4bc5e7431e6a8823172190

SHA256
bb55559f66e5240d9e8f8ea9b56e80a2d8374df5a0afb966b8a0a16779a540e6

SHA512
8633d97f546d4a825088b24cac2460045a9073adce99d55fa0af22e7ddc88d31c9d56965ab0445b61d43f39be94e37c5fe0cffe41f2643a0be243a9e416a8318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2b2c15e299df0408ac8eeaa13af8e6cd

SHA1
1095790ee9cedb367f99e3569c87fa93757cff83

SHA256
72feef1f731818e8353a036b54327c09f53fb75b232fbc61c75cf4c75cb94033

SHA512
5f32fc2ac01ae5400989c8f42dbb3c05eb0a34cdfadde0e08b9ed6711679c401ee1a166a350008a35049a0cddacf690c583c214370bba0ceafe8fee9d02cd007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4897a69093b3aed7e5b11d0831e68545

SHA1
820f1a66a95f84d19656b4e8b486bafee5f22212

SHA256
48295d3e4e8d558acce0a71381055a95fac44f05c2dd02d4d5c9b2eb9b216f56

SHA512
f0646e6655441303f78c65933152d735ceda8b82a3f5aaf27b619b1fc98e09c413b64377a247779ed8671560e1e79829e24abb7f3a2e2b5e19b341a6edc14966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ab586fd3461bec6feb3be909081e0564

SHA1
88c7bf7f16878288787c96d49699a58400c80725

SHA256
528b6eacf5e6f9e0c435e1b3c4786b2eea3068688482bf835010cd40c5773953

SHA512
3cacfc9d6ab2daa0a81a762b02e259d0ac2ce5a501266aa1df2c8b41a199498913872ce81e38def8dd7930106a9684884bb9f9f92cb1cc81bfd807f9d3ae25bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
969e083bd78fbd280724aec7bed292db

SHA1
de43ae8ea6e8d7bf09e0e45d6188d3819d213552

SHA256
7e21cb42014892a908cc2da58828002e831e92ccc5134ad75465c3df1f14b4ef

SHA512
9cc2d6042202944b3e8258124751638ec24f157d2ee1e51144b9cb6518d83bffb917b228a0c7b60cb14ad351ed5cde92d25854637edb74ce1e53b1cd71a57385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
2be61ad5718441efee21e9613d1fd0e9

SHA1
d6d5dd772ca7428fe41c5305331c1cdf112c48ab

SHA256
1e115abaff74d1471f579df8c90515eaf13528d8d6d0f12eea15d7879e0fa8e8

SHA512
eacbfd74294c5dc59ed77a4507d2a2118b25556284074b7a1dcfdb04f814ec77f42fb37f1a1f3b9a423e1662079bf079e93ac5ee2173bcd5702581aefd9a838c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
10c4a993a5d30ab2b6f724f5cad910c5

SHA1
90f0e19be2555691db1c0aeddcf8411188c7cc54

SHA256
c6cf5144ada3641d88b9f88ca5363ca2e90dfbfa3d04fab9605172faf85e80fb

SHA512
5dbaa83bfe8718f1e2dfc656e7b3aaeea3abc632f6644dd7a8195e7c9f6d34b0bcdabb90342aa1e681b15842c2e8d91009ab775fcc42420f0064fafcec10f386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/996-24-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-90-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-210-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-0-0x0000000002460000-0x000000000252E000-memory.dmp

Filesize
824KB

Download
memory/996-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-34-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/996-64-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3432-17-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-11-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-10-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-9-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-15-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-21-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-20-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-19-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-18-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/3432-16-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp

Filesize
4KB

Download