dharma | a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4

Analysis

max time kernel
150s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
Size

14.1MB
MD5

d35fa59ce558fe08955ce0e807ce07d0
SHA1

3fa0e015acddad634f9f362099f3d79683159726
SHA256

a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
SHA512

b1965eea1ed6c77979c79acf893cd2ac2dbfa898b870f76d9ab59936ac5cf5c0995db9d98addfa72e6c1b2b304d6b021b9be89458a5b82ea6ff9f5014c8f9d0b

Score

10^/10

dharma xmrig miner persistence ransomware spyware stealer upx vmprotect

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Enigma1crypt@aol.com Write this ID in the title of your message A1AF9847 In case of no answer in 24 hours write us to theese e-mails: Enigma1crypt@aol.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

Enigma1crypt@aol.com

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 6 IoCs

Processes:

Defender_nt32_enu.exetaskhost.exeHelp.exeDefender_nt32_enu.exeBootHelper.exetaskhost.exe

pid process

2140 Defender_nt32_enu.exe
2700 taskhost.exe
2772 Help.exe
3540 Defender_nt32_enu.exe
4036 BootHelper.exe
3904 taskhost.exe

pid	process
2140	Defender_nt32_enu.exe
2700	taskhost.exe
2772	Help.exe
3540	Defender_nt32_enu.exe
4036	BootHelper.exe
3904	taskhost.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConnectUnprotect.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ExportShow.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRestore.tiff	taskhost.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Help.exe	upx
C:\Users\Admin\AppData\Local\Temp\Help.exe	upx
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\rm.exe	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\taskhost.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\taskhost.exe	vmprotect
behavioral2/memory/2700-131-0x00000000011B0000-0x0000000001ABB000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\taskhost.exe	vmprotect

Drops startup file 5 IoCs

Processes:

taskhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	taskhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe

Loads dropped DLL 3 IoCs

Processes:

Defender_nt32_enu.exe

pid process

3540 Defender_nt32_enu.exe
3540 Defender_nt32_enu.exe
3540 Defender_nt32_enu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3540	Defender_nt32_enu.exe
3540	Defender_nt32_enu.exe
3540	Defender_nt32_enu.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost.exe = "C:\\Windows\\System32\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	taskhost.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	taskhost.exe

Drops file in System32 directory 2 IoCs

Processes:

taskhost.exe

description ioc process

File created C:\Windows\System32\taskhost.exe taskhost.exe
File created C:\Windows\System32\Info.hta taskhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

taskhost.exe

pid process

2700 taskhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

taskhost.exe

description pid process target process

PID 2700 set thread context of 3904 2700 taskhost.exe taskhost.exe

description	ioc	process
File created	C:\Windows\System32\taskhost.exe	taskhost.exe
File created	C:\Windows\System32\Info.hta	taskhost.exe

description	pid	process	target process
PID 2700 set thread context of 3904	2700	taskhost.exe	taskhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNG.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_48x48x32.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-100.png	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Tips_4.jpg	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas_flat_512x512.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-36_altform-unplated_contrast-white.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\FUE2_Image_4.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-200.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	taskhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png	taskhost.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6440_32x32x32.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-200.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\release.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cz_60x42.png	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png	taskhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.id-A1AF9847.[Enigma1crypt@aol.com].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\diff_match_patch_uwp.dll	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2220 vssadmin.exe
3936 vssadmin.exe

pid	process
2220	vssadmin.exe
3936	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskhost.exetaskhost.exe

pid	process
2700	taskhost.exe
2700	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe
3904	taskhost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

taskhost.exe

pid process

3904 taskhost.exe

pid	process
3904	taskhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Help.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2772	Help.exe
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Defender_nt32_enu.exe

pid process

3540 Defender_nt32_enu.exe
3540 Defender_nt32_enu.exe

pid	process
3540	Defender_nt32_enu.exe
3540	Defender_nt32_enu.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exeDefender_nt32_enu.exeDefender_nt32_enu.exetaskhost.exetaskhost.execmd.execmd.exe

description	pid	process	target process
PID 500 wrote to memory of 2140	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Defender_nt32_enu.exe
PID 500 wrote to memory of 2140	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Defender_nt32_enu.exe
PID 500 wrote to memory of 2140	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Defender_nt32_enu.exe
PID 500 wrote to memory of 2700	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	taskhost.exe
PID 500 wrote to memory of 2700	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	taskhost.exe
PID 500 wrote to memory of 2700	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	taskhost.exe
PID 500 wrote to memory of 2772	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Help.exe
PID 500 wrote to memory of 2772	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Help.exe
PID 500 wrote to memory of 2772	500	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe	Help.exe
PID 2140 wrote to memory of 3540	2140	Defender_nt32_enu.exe	Defender_nt32_enu.exe
PID 2140 wrote to memory of 3540	2140	Defender_nt32_enu.exe	Defender_nt32_enu.exe
PID 2140 wrote to memory of 3540	2140	Defender_nt32_enu.exe	Defender_nt32_enu.exe
PID 3540 wrote to memory of 4036	3540	Defender_nt32_enu.exe	BootHelper.exe
PID 3540 wrote to memory of 4036	3540	Defender_nt32_enu.exe	BootHelper.exe
PID 3540 wrote to memory of 4036	3540	Defender_nt32_enu.exe	BootHelper.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 2700 wrote to memory of 3904	2700	taskhost.exe	taskhost.exe
PID 3904 wrote to memory of 2084	3904	taskhost.exe	cmd.exe
PID 3904 wrote to memory of 2084	3904	taskhost.exe	cmd.exe
PID 2084 wrote to memory of 2780	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 2780	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 3936	2084	cmd.exe	vssadmin.exe
PID 2084 wrote to memory of 3936	2084	cmd.exe	vssadmin.exe
PID 3904 wrote to memory of 2564	3904	taskhost.exe	cmd.exe
PID 3904 wrote to memory of 2564	3904	taskhost.exe	cmd.exe
PID 2564 wrote to memory of 1040	2564	cmd.exe	mode.com
PID 2564 wrote to memory of 1040	2564	cmd.exe	mode.com
PID 3904 wrote to memory of 1260	3904	taskhost.exe	mshta.exe
PID 3904 wrote to memory of 1260	3904	taskhost.exe	mshta.exe
PID 3904 wrote to memory of 1500	3904	taskhost.exe	mshta.exe
PID 3904 wrote to memory of 1500	3904	taskhost.exe	mshta.exe
PID 2564 wrote to memory of 2220	2564	cmd.exe	vssadmin.exe
PID 2564 wrote to memory of 2220	2564	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
"C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe
"C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe
"C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe" --bts-container 2140 "C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exe
BootHelper.exe --watchdog 3540 --product "ESET AV Remover" 1.2.4.0 1033
4⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\mode.com
mode con cp select=1251
5⤵
PID:2780

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3936

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\system32\mode.com
mode con cp select=1251
5⤵
PID:1040

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2220

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
4⤵
PID:1260

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
4⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\Help.exe
"C:\Users\Admin\AppData\Local\Temp\Help.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
6e93ea018a0198715e05a4c17ba704d1

SHA1
8cd377518d77185325e974b6ba2256bf601a7c93

SHA256
40b15992634685485b621227e407209af154543ec41506f5ecaf848c7b2cd737

SHA512
ae94c3c7689c6c1d502e89f251f0156eaa1a79568e3c309b426e7e29450d0443b7733501d599cf935324ff1e723780af18b3985bcdd3516b082ba983be3c69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe
MD5
ba0b09dad5e153c834c26b5a6f31d48a

SHA1
e2da0e129de497e3abc2403163a144af6c2595f0

SHA256
0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83

SHA512
8ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe
MD5
ba0b09dad5e153c834c26b5a6f31d48a

SHA1
e2da0e129de497e3abc2403163a144af6c2595f0

SHA256
0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83

SHA512
8ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help.exe
MD5
84971d908283a08b10b07eae9ef66afa

SHA1
9d080494406ded19539ca8c2491e2c7dfcdf752d

SHA256
414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3

SHA512
4d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help.exe
MD5
84971d908283a08b10b07eae9ef66afa

SHA1
9d080494406ded19539ca8c2491e2c7dfcdf752d

SHA256
414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3

SHA512
4d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\AppRemover_API.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exe
MD5
c23d20846bc85f9c3c689e77d9d18e7c

SHA1
ec4d88abef56670bce95ad964a48efb9b2a44950

SHA256
0fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b

SHA512
c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exe
MD5
c23d20846bc85f9c3c689e77d9d18e7c

SHA1
ec4d88abef56670bce95ad964a48efb9b2a44950

SHA256
0fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b

SHA512
c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe
MD5
ff4877b3b99e0ff3986eeadf61d49675

SHA1
bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f

SHA256
61d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a

SHA512
5ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe
MD5
ff4877b3b99e0ff3986eeadf61d49675

SHA1
bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f

SHA256
61d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a

SHA512
5ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\avrsrv.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\eset.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\exclusions.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaapi.dll
MD5
2acb7f98aa264ce6e25b447e9478275e

SHA1
537549c96f4259ac78462523e65719ab58c8d98f

SHA256
a0cd9390e76389f5215ae46eb09b3870d29959b97ccfb240664cf85df948e424

SHA512
84bc612cac5e2c43a4154b37efb8cacda6f212fc31a9b687325c6402c543919c49c93ab05c140dd5d9c560d564b3bc12c3827fe834d993fb2a901f54059f4af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaheap.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwalocal.dll
MD5
2a028e877d9a8f5822e514d7d757279f

SHA1
a68b3b5acffb8b177cf108c9d166d76cd6c3f80d

SHA256
ad0bd4b6e087e1877f5fc151de6c325793b733081f757230989114e0803f9811

SHA512
3df3ed4b2160a132d1002ed0395639c567f289a3d524f24a550c3ad6568b5e9e20547a351fd87affd3166fd946ae2cdd4705ffef630eb98e56e14bad83d5ebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaresource.dll
MD5
807867f1871b7e97b8bc52480654ad9c

SHA1
bb42806ff8eb40fd4856b9bd0e2ec4d212fe5937

SHA256
3c613b7698db2e6d73c23a7fd55f467026e3ff30693bf2c41a202d01d6606f45

SHA512
1d75501f3db1cba96f96b64f300dbd7f95a0669f2f393f3761ba8a3c66e10249bb401f9d3a527359b757a3b458706c510005b3e5526798074cd212217407cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwautils.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\license.cfg
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgAVRemover.dll
MD5
099e32e5a8c23f0f7e747dd1e5b3aa5b

SHA1
f5941e7701c1ff354578b315d0162f4ea531eab7

SHA256
332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b

SHA512
1feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgSciterBase.dll
MD5
2901655c576f2b4679e9cc87c534acc8

SHA1
ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11

SHA256
3baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729

SHA512
1ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\rm.exe
MD5
624da61f2906b55ca48e781ffb9272b4

SHA1
89d2bb54c53f4fde78394d299430fe4a8bc23de2

SHA256
3347c224698036e6f3ce5a8caab60aa05451406d9fe7d65492b948693f34d8e1

SHA512
07887b50320d37b0f107c1753137b99d7cda585e5c0a58de3683f4fc50ecef3fc01375cc1ce27704ae4cb0073aa776c94d043b870d1bfcac553fec5b01eac0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\sciter-x.dll
MD5
bb34a6a2d76959afa73374e94c2ed122

SHA1
98f166919626114be5365f9d8ada703669286921

SHA256
69db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63

SHA512
fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\script.dat
MD5
f19e9efccb1365ac5433f5b7e40194b6

SHA1
6a823f1f8e8d50626a9b48cae60927c1a71a61a3

SHA256
feb39b0af17fde2bfca8b0ae3edf984d4c64ef71f0f9237f68f361f2823f9f2a

SHA512
c54daacdfaec21791899d1fe56ec0ff4e584971147a80c98f339ab77125060b632f9afde67f1ada2d75a4de179e32e8d3a05c1f0e6efcaa0f8eb122f7087179b

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
MD5
bde189d41dc7594fb6ab5e3fee659b0e

SHA1
fa8739b6734f4bca949c94242e922aba730bac88

SHA256
703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe

SHA512
a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
MD5
bde189d41dc7594fb6ab5e3fee659b0e

SHA1
fa8739b6734f4bca949c94242e922aba730bac88

SHA256
703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe

SHA512
a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
MD5
bde189d41dc7594fb6ab5e3fee659b0e

SHA1
fa8739b6734f4bca949c94242e922aba730bac88

SHA256
703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe

SHA512
a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
6e93ea018a0198715e05a4c17ba704d1

SHA1
8cd377518d77185325e974b6ba2256bf601a7c93

SHA256
40b15992634685485b621227e407209af154543ec41506f5ecaf848c7b2cd737

SHA512
ae94c3c7689c6c1d502e89f251f0156eaa1a79568e3c309b426e7e29450d0443b7733501d599cf935324ff1e723780af18b3985bcdd3516b082ba983be3c69d6

Download Submit
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgAVRemover.dll
MD5
099e32e5a8c23f0f7e747dd1e5b3aa5b

SHA1
f5941e7701c1ff354578b315d0162f4ea531eab7

SHA256
332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b

SHA512
1feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e

Download Submit
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgSciterBase.dll
MD5
2901655c576f2b4679e9cc87c534acc8

SHA1
ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11

SHA256
3baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729

SHA512
1ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4

Download Submit
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\sciter-x.dll
MD5
bb34a6a2d76959afa73374e94c2ed122

SHA1
98f166919626114be5365f9d8ada703669286921

SHA256
69db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63

SHA512
fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e

Download Submit
memory/1040-165-0x0000000000000000-mapping.dmp

Download
memory/1260-166-0x0000000000000000-mapping.dmp

Download
memory/1500-167-0x0000000000000000-mapping.dmp

Download
memory/2084-143-0x0000000000000000-mapping.dmp

Download
memory/2140-114-0x0000000000000000-mapping.dmp

Download
memory/2220-168-0x0000000000000000-mapping.dmp

Download
memory/2564-164-0x0000000000000000-mapping.dmp

Download
memory/2700-130-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2700-132-0x0000000000940000-0x00000000009EE000-memory.dmp

Filesize
696KB

Download
memory/2700-131-0x00000000011B0000-0x0000000001ABB000-memory.dmp

Filesize
9.0MB

Download
memory/2700-129-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2700-118-0x0000000000000000-mapping.dmp

Download
memory/2772-121-0x0000000000000000-mapping.dmp

Download
memory/2780-144-0x0000000000000000-mapping.dmp

Download
memory/3540-124-0x0000000000000000-mapping.dmp

Download
memory/3904-145-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3904-140-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3904-141-0x000000000040A9D0-mapping.dmp

Download
memory/3936-146-0x0000000000000000-mapping.dmp

Download
memory/4036-133-0x0000000000000000-mapping.dmp

Download