Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
Resource
win10v20210410
General
-
Target
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
-
Size
14.1MB
-
MD5
d35fa59ce558fe08955ce0e807ce07d0
-
SHA1
3fa0e015acddad634f9f362099f3d79683159726
-
SHA256
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
-
SHA512
b1965eea1ed6c77979c79acf893cd2ac2dbfa898b870f76d9ab59936ac5cf5c0995db9d98addfa72e6c1b2b304d6b021b9be89458a5b82ea6ff9f5014c8f9d0b
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Enigma1crypt@aol.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 6 IoCs
Processes:
Defender_nt32_enu.exetaskhost.exeHelp.exeDefender_nt32_enu.exetaskhost.exeBootHelper.exepid process 1288 Defender_nt32_enu.exe 1512 taskhost.exe 1648 Help.exe 768 Defender_nt32_enu.exe 1844 taskhost.exe 1164 BootHelper.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertUninstall.tiff taskhost.exe -
Sets file execution options in registry 2 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Help.exe upx \Users\Admin\AppData\Local\Temp\Help.exe upx \Users\Admin\AppData\Local\Temp\Help.exe upx \Users\Admin\AppData\Local\Temp\Help.exe upx \Users\Admin\AppData\Local\Temp\Help.exe upx C:\Users\Admin\AppData\Local\Temp\Help.exe upx C:\Users\Admin\AppData\Local\Temp\Help.exe upx -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect \Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect \Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect behavioral1/memory/1512-88-0x0000000000AB0000-0x00000000013BB000-memory.dmp vmprotect \Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect -
Drops startup file 5 IoCs
Processes:
taskhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini taskhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta taskhost.exe -
Loads dropped DLL 19 IoCs
Processes:
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exeDefender_nt32_enu.exeDefender_nt32_enu.exetaskhost.exepid process 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe 1288 Defender_nt32_enu.exe 768 Defender_nt32_enu.exe 1512 taskhost.exe 768 Defender_nt32_enu.exe 768 Defender_nt32_enu.exe 768 Defender_nt32_enu.exe 768 Defender_nt32_enu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
taskhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" taskhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" taskhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" taskhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini taskhost.exe File opened for modification C:\Users\Public\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskhost.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini taskhost.exe File opened for modification C:\Program Files\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskhost.exe File opened for modification C:\Users\Public\Music\desktop.ini taskhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini taskhost.exe File opened for modification C:\Program Files (x86)\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini taskhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
taskhost.exedescription ioc process File created C:\Windows\System32\Info.hta taskhost.exe File created C:\Windows\System32\taskhost.exe taskhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
taskhost.exepid process 1512 taskhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
taskhost.exedescription pid process target process PID 1512 set thread context of 1844 1512 taskhost.exe taskhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar taskhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK taskhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF taskhost.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF taskhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Java\jre7\lib\deploy\messages.properties.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01252_.WMF taskhost.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.DPV.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\wxpr.dll.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL taskhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml taskhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\BHOINTL.DLL taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar taskhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penchs.dll taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.id-978818B6.[Enigma1crypt@aol.com].ETH taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1112 vssadmin.exe 2044 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskhost.exetaskhost.exepid process 1512 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe 1844 taskhost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
taskhost.exepid process 1844 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Help.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 1648 Help.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Defender_nt32_enu.exepid process 768 Defender_nt32_enu.exe 768 Defender_nt32_enu.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exeDefender_nt32_enu.exetaskhost.exetaskhost.execmd.exeDefender_nt32_enu.execmd.exedescription pid process target process PID 332 wrote to memory of 1288 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 332 wrote to memory of 1288 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 332 wrote to memory of 1288 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 332 wrote to memory of 1288 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 332 wrote to memory of 1512 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 332 wrote to memory of 1512 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 332 wrote to memory of 1512 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 332 wrote to memory of 1512 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 332 wrote to memory of 1648 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 332 wrote to memory of 1648 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 332 wrote to memory of 1648 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 332 wrote to memory of 1648 332 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 1288 wrote to memory of 768 1288 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 1288 wrote to memory of 768 1288 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 1288 wrote to memory of 768 1288 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 1288 wrote to memory of 768 1288 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1512 wrote to memory of 1844 1512 taskhost.exe taskhost.exe PID 1844 wrote to memory of 1160 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 1160 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 1160 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 1160 1844 taskhost.exe cmd.exe PID 1160 wrote to memory of 1816 1160 cmd.exe mode.com PID 1160 wrote to memory of 1816 1160 cmd.exe mode.com PID 1160 wrote to memory of 1816 1160 cmd.exe mode.com PID 768 wrote to memory of 1164 768 Defender_nt32_enu.exe BootHelper.exe PID 768 wrote to memory of 1164 768 Defender_nt32_enu.exe BootHelper.exe PID 768 wrote to memory of 1164 768 Defender_nt32_enu.exe BootHelper.exe PID 768 wrote to memory of 1164 768 Defender_nt32_enu.exe BootHelper.exe PID 1160 wrote to memory of 1112 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 1112 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 1112 1160 cmd.exe vssadmin.exe PID 1844 wrote to memory of 616 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 616 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 616 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 616 1844 taskhost.exe cmd.exe PID 1844 wrote to memory of 1884 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 1884 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 1884 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 1884 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 236 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 236 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 236 1844 taskhost.exe mshta.exe PID 1844 wrote to memory of 236 1844 taskhost.exe mshta.exe PID 616 wrote to memory of 1156 616 cmd.exe mode.com PID 616 wrote to memory of 1156 616 cmd.exe mode.com PID 616 wrote to memory of 1156 616 cmd.exe mode.com PID 616 wrote to memory of 2044 616 cmd.exe vssadmin.exe PID 616 wrote to memory of 2044 616 cmd.exe vssadmin.exe PID 616 wrote to memory of 2044 616 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe"C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\Defender_nt32_enu.exe"C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\Defender_nt32_enu.exe" --bts-container 1288 "C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\BootHelper.exeBootHelper.exe --watchdog 768 --product "ESET AV Remover" 1.2.4.0 10334⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Help.exe"C:\Users\Admin\AppData\Local\Temp\Help.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
0f7a19631b057dde130dde5b74a0580e
SHA1fe8302e63c7d731a085f2bab20e5d0161ebe0771
SHA256372448f9963710b912fd12d47008fa435a441332b76738492acd9c28db3a6946
SHA512bf922cdb3ea2e84e8b609f170fd9c4b9379b8c816727baf745b35f3a0fc20c3b7f627923fc016b3095d9a2591ef926c760bc81616b0eed1e1a9041eed57475d1
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
C:\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
C:\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\AppRemover_API.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\BootHelper.exeMD5
c23d20846bc85f9c3c689e77d9d18e7c
SHA1ec4d88abef56670bce95ad964a48efb9b2a44950
SHA2560fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b
SHA512c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\BootHelper.exeMD5
c23d20846bc85f9c3c689e77d9d18e7c
SHA1ec4d88abef56670bce95ad964a48efb9b2a44950
SHA2560fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b
SHA512c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\Defender_nt32_enu.exeMD5
ff4877b3b99e0ff3986eeadf61d49675
SHA1bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f
SHA25661d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a
SHA5125ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\Defender_nt32_enu.exeMD5
ff4877b3b99e0ff3986eeadf61d49675
SHA1bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f
SHA25661d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a
SHA5125ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\avrsrv.exeMD5
813eff774039dc3e28e86f068b28dcd4
SHA1eee4b0288f71b83bc8e6d83743ede8a00637a872
SHA2562ff0205368c31c3b2018edbf9ae6d23b52abc4ede2846f633e2dc280d8a52838
SHA512da2c5e03f26af28ef8dabe29036fbffafab7a1c67ffa6cbf15b1f8f3e8628e137ac8047e548484b424ffb212bd8de5a8e0a76e03e6e7ded8cf8e69ac8ee8c8ab
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\eset.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\exclusions.txtMD5
848fb9d7dbc9f79a30587dcd76baa1a9
SHA147070d2f04bd756c2a8a3f7647b2cb51e6e19ae7
SHA256e498dbe001bcad5c3a43e5bce9995e6fcad83cab44a4c2fa038e3e33eb9057c0
SHA512a9b1b7c1afce4619c7be1fa575173fe0a14a631f1645a3d4686f3b2995227586e96d8e35e10f4cd2a81f557d467bb8b14d3b86d07d01cd93d397964a62bc8ad0
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\libwaapi.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\libwaheap.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\libwalocal.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\libwaresource.dllMD5
53129a1b06edbd52d2cfaf7cf4e89ace
SHA16be471bce3e46d7b18379d843dd647a8d3b4749e
SHA2568aa7c1f644302ef65a278a782558a8a0557615cc82e5f180323313a69f37c502
SHA512a03146e841b09f2606c9c7eb24c57376a70f6f0e605378edd8cd3be278f678c4f2ff08fc46c9dd0f24e73c48bc54986898c7c145d8daadb95e5c450785cc016a
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\libwautils.dllMD5
47a1f24736a69955fd1164975c56bf3f
SHA15171b6a020cbe39a6a2fe404c787f398b5052899
SHA2562414c884d71d3b82b4482894162af067462ac5df38fb7980ee602a970a0d3e31
SHA5120e9cac96241d67140cba0600a9ada90b42104b38b466c27f4afdcf7411d859cdbe9381486b59317ffe8c280ef8181d66a4db18eea58f97a2844164605e67b3b2
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\license.cfgMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\plgAVRemover.dllMD5
099e32e5a8c23f0f7e747dd1e5b3aa5b
SHA1f5941e7701c1ff354578b315d0162f4ea531eab7
SHA256332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b
SHA5121feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\plgSciterBase.dllMD5
2901655c576f2b4679e9cc87c534acc8
SHA1ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11
SHA2563baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729
SHA5121ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\rm.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\sciter-x.dllMD5
bb34a6a2d76959afa73374e94c2ed122
SHA198f166919626114be5365f9d8ada703669286921
SHA25669db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63
SHA512fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\script.datMD5
becb785d1b42728fd5646d1f17f5c126
SHA12219c08bfeedbdb037b099e9ffc275464c6cb7ef
SHA256d8dc877b7d3159f779a93fa09c13cbebfc596415db26ea9c4b4632f49f7fc9d4
SHA5126e5e5bab66cd221f43b34a7f1cf547ddf714dd83df6748518835f63ef537ddcaafbd7a96d89b3e2447a8b12297e6aaa830c0550af04845e9cfbb7d18b50405fb
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
0f7a19631b057dde130dde5b74a0580e
SHA1fe8302e63c7d731a085f2bab20e5d0161ebe0771
SHA256372448f9963710b912fd12d47008fa435a441332b76738492acd9c28db3a6946
SHA512bf922cdb3ea2e84e8b609f170fd9c4b9379b8c816727baf745b35f3a0fc20c3b7f627923fc016b3095d9a2591ef926c760bc81616b0eed1e1a9041eed57475d1
-
\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\BootHelper.exeMD5
c23d20846bc85f9c3c689e77d9d18e7c
SHA1ec4d88abef56670bce95ad964a48efb9b2a44950
SHA2560fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b
SHA512c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\Defender_nt32_enu.exeMD5
ff4877b3b99e0ff3986eeadf61d49675
SHA1bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f
SHA25661d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a
SHA5125ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\plgAVRemover.dllMD5
099e32e5a8c23f0f7e747dd1e5b3aa5b
SHA1f5941e7701c1ff354578b315d0162f4ea531eab7
SHA256332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b
SHA5121feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\plgSciterBase.dllMD5
2901655c576f2b4679e9cc87c534acc8
SHA1ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11
SHA2563baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729
SHA5121ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-22F5-9EEF-4B65-67C2FD211EFC}\sciter-x.dllMD5
bb34a6a2d76959afa73374e94c2ed122
SHA198f166919626114be5365f9d8ada703669286921
SHA25669db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63
SHA512fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e
-
\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
memory/236-125-0x0000000000000000-mapping.dmp
-
memory/332-59-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/616-123-0x0000000000000000-mapping.dmp
-
memory/768-80-0x0000000000000000-mapping.dmp
-
memory/1112-102-0x0000000000000000-mapping.dmp
-
memory/1156-126-0x0000000000000000-mapping.dmp
-
memory/1160-95-0x0000000000000000-mapping.dmp
-
memory/1164-99-0x0000000000000000-mapping.dmp
-
memory/1288-64-0x0000000000000000-mapping.dmp
-
memory/1512-70-0x0000000000000000-mapping.dmp
-
memory/1512-87-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1512-88-0x0000000000AB0000-0x00000000013BB000-memory.dmpFilesize
9.0MB
-
memory/1512-89-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1648-78-0x0000000000000000-mapping.dmp
-
memory/1816-97-0x0000000000000000-mapping.dmp
-
memory/1844-92-0x000000000040A9D0-mapping.dmp
-
memory/1844-91-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1844-96-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1884-124-0x0000000000000000-mapping.dmp
-
memory/2044-127-0x0000000000000000-mapping.dmp