troldesh | hxxp://123moviesh[.]biz

Resubmissions

23-01-2025 14:30

250123-rt67sstqar 4

17-01-2025 14:00

250117-ra484azrcy 10

09-01-2025 14:36

250109-rywlvsskfz 7

Analysis

max time kernel
114s
max time network
116s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-01-2025 14:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://123moviesh.biz

Score

10^/10

troldesh bootkit defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2852	NoMoreRansom.exe
3140	PowerPoint.exe
3776	sys3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
58	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2852-458-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-459-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-461-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-460-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-474-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-486-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-520-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2852-542-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "44"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 887316.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 692034.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
1088	msedge.exe
1088	msedge.exe
964	identity_helper.exe
964	identity_helper.exe
2456	msedge.exe
2456	msedge.exe
4876	msedge.exe
4876	msedge.exe
2852	NoMoreRansom.exe
2852	NoMoreRansom.exe
2852	NoMoreRansom.exe
2852	NoMoreRansom.exe
2204	msedge.exe
2204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3776	sys3.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3288	1088	msedge.exe	77
PID 1088 wrote to memory of 3288	1088	msedge.exe	77
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 1864	1088	msedge.exe	78
PID 1088 wrote to memory of 3748	1088	msedge.exe	79
PID 1088 wrote to memory of 3748	1088	msedge.exe	79
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80
PID 1088 wrote to memory of 936	1088	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://123moviesh.biz
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6dd93cb8,0x7ffd6dd93cc8,0x7ffd6dd93cd8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10382736958959421559,5126819037877301791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a12855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
035a89e78cf7821462d7d2026dd14350

SHA1
2fc0902fdca53fffacb52a3ccff2e978828423cb

SHA256
882ac8674ffecebab68981c4a166db4a6343c662347c7f79736e61c048516ebb

SHA512
e13f74328d0553fe20256575f4c47c5908b069047481d950c06f03d0331abbad042e57ca5bad3aac40945012d7a20d989f572d7de22ef73a8611d13fd88a2487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c6ed32c8bb7345e910f87726f8b33804

SHA1
efcd217ec7590509d2d282de3572524b8a4da4aa

SHA256
18b95b01588fb7a42b163d21c32ce8ffa682be54a82242837a259dee447cd3b3

SHA512
6a3dfe528923038c0a594b164b4aabcc4dac28ed6b409fa2bc070bc628e67b9f891e9c76c16ef44bb6a6e101961b2c9f45fc0b6740b9deb1e0146a04f378cc7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d650ccc50bc5b25857e0bded354e263

SHA1
1f2cf336b591a738df866c486a577377327938d7

SHA256
268d43b04ab52cc8c789648c739e64c1a8a704cf8d77144f0e1331ae983957f9

SHA512
8db68899ae38543fe99b767dfe9b435d5cd0c999d1d4eae6d29cced639d28f9c523059738b84236bebc90e5eba7a7fdea0e032073c1c8698a32e2c24a15048c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40514876562708c4658195efbf09fe4f

SHA1
bd42f332f3e00aeb61b38834865273e8e91d9685

SHA256
90f6939a699e5530b2c3b579e622fb71e7c3ee388ef3ae9a81dbd20ac7cea779

SHA512
9056b4cb617eef63e19bcf0753b7736aac00082db18500c87af4f9a81cdacdb3d83cb8d42968dbe854e70dd509ae0c3a15cece563e3055994f884158525154df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1aaea5e3dd9b9cce20eee8142ac2d48

SHA1
0a7dd6372ee29f0d30c297a61db1a6b2a5feed8b

SHA256
edb53641d7f2dd95cd41e0a0345f58d118e77cda482b7f9eb8212c8d8cc05d14

SHA512
a7dee92d942eec67a2c4f5cf23054dadab77fdb5dd2f40ec34103612617e422132e90d0556f51502d9f7ade28df8f5ca98f73be365417d7fe989837040839d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f53563a34fcf6a39e9e70f6af6cb4d54

SHA1
347a206d5ba2042da5fb061ad39b5b9b37df6903

SHA256
b0cd8769de176937fbcf88b9d7dfd47a3d526a3c628691b352752a50c7da4df8

SHA512
3f9125459c5807388c28baa0e1e094c2136174eafa860ad3a348ac6684a2a0df98791c10fca973da3aa174f024c19fa1916ef86372310d33fbb91a13fcafdfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d16951b3a300cbc939bd9e0f51ca3442

SHA1
d57dd67033cd403301637b125d111e0bb5e37652

SHA256
2303e5ad7b26a3d0746ce5760d5f029765a8163ac6915b62df6695b56b489bde

SHA512
c0ffc4fb8f32055059383d86c38e2bbfb74d304705e244665baf38d298497acb19f582e650fcb61bfe5b763bcf60212a1c9a744018c4beb2c867d252fd50b8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1da4c07c7d56a1f1515fd0286401792b

SHA1
5d5b55621e538306e8d52524b5d6536834a13751

SHA256
f60f168e34e3f765ae4becab1eedc13913b991dd2780566d7afbd4ce35a20847

SHA512
17a06e0ebfc79a90bf263e5aa1037bb2179bc11c84adf30d299d3f6bf5b4ec6c6bb12bad772310c7007fb21d9a3327ddc96febb47e36dd041bec68dcacdf1e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f31c6441b856b76065cdc2b8eafc07a5

SHA1
0acb68308582873c491cae26e15c9cce09c4e0e0

SHA256
19d45a71051cd22942d22006dd6bb8df902f2428eb2608f92a9e14a232f6e7e9

SHA512
68a1632bbbe5e65851fac13962c5568e2da71bc080cfa5a581294c9bed212a53ea039b9616c57347f7a0de119ff4d531eb2211fcb921c66f45e113c929a93700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d9a3ded8acffba98381c96fc62f566b0

SHA1
eff2b89c78cf6f087d15f2e8afa41ed431e353e1

SHA256
02ba64022132fa26eb95f5fc30da4363be74cc0ca64b901be372a76abcb8fef1

SHA512
a1e7c648ddf21a0c33442b8047b4c73e41758349b2acda7dced34a535f514a31820c66495e04a8f0d734ef939744199b0188c625575c67a86f2e43ccfbde16ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e60a.TMP

Filesize
203B

MD5
651daa4bde7ade4965708ddbeeaddaa5

SHA1
d3812bac1cdf688f673573440c59ce9f5a99a77d

SHA256
e8074707e86482476654ea634e6b91ea55e9271a54c974546170ec95b316e0c2

SHA512
a932c86bac93be7120bcfa8b36c265c39c351ef286432c68f0a940c2af9d7da824866249ab5187a2d4bde5864f506a1a36555be1861ee63eefa756bc7d47314d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e7a13b11-1eae-4153-89e1-468c88d9595b.tmp

Filesize
1KB

MD5
17e6ed1af16fd37ffc543c75e6a4a4f0

SHA1
b1a6426902dc90c16d12880b61ab72eaddebdb44

SHA256
6875586fdbba8d74cd84d2390b3f3b4b04b051627647940296888e9f54142c6d

SHA512
9b170675e4ba7a82bf5754f603a8f39a056a024b4d1ac28735d58c4bacba928604fc93d8942324a65cc81f6ca9a3e86849c3b050141707059678d1fdb1e4e7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
259297e8f8a0bcd7b8949da0c7fed82f

SHA1
e52436ac1c25eaaa5dfd0cbe3c4a9c153133b9ca

SHA256
a2ac4101f5c898208c70942caf1b57ddc469dfb296af560a6c0eaad381d208c2

SHA512
cc6d084cd42e757b169184a9fc29ef1ee628336c8bf45cae119e62a823f3cf360542a1789c5b4c65f6eeb84e264b487b79ad9fe0a2728d485c1d41ff86963188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1ae669fcb11081ad102a8ad2e92f00d

SHA1
ac502710fbe5be1da00ff25846b8a8539437c3e0

SHA256
5e16cb828d84a5d8064e9757d11ad2a5b3216ad6ee66794fa2faaf58cbc0cfab

SHA512
0c2baaee790baf0490e44646fc0c2f24a0e5d8104cc5e17806ee1e4e5635210513c15a1a5c302bcd66fb749415a378226667d80caebadaa1ba91b3b5542408d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aed4e2cb3d6eb7726bae832313355253

SHA1
8456873ba5b23b6b46be57ad2773604d6dd2269b

SHA256
e92b0b7025ad1254b4c803f82a6632eab002809fc59e207c92f4cb2b5a63d889

SHA512
0c0d2e2f497814f90aa0ecbdc9dfec689e2094a40ffca5b15c131a640a7e93f6d585cac4eccbe5f0d2fa80ca59fd7dd43e22430edd758438409202119c104215

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 692034.crdownload

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 887316.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
memory/2852-474-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-486-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-460-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-461-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-459-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-520-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-458-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2852-542-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3140-532-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3140-541-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads