Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
Resource
win10v20210410
General
-
Target
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe
-
Size
14.1MB
-
MD5
d35fa59ce558fe08955ce0e807ce07d0
-
SHA1
3fa0e015acddad634f9f362099f3d79683159726
-
SHA256
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
-
SHA512
b1965eea1ed6c77979c79acf893cd2ac2dbfa898b870f76d9ab59936ac5cf5c0995db9d98addfa72e6c1b2b304d6b021b9be89458a5b82ea6ff9f5014c8f9d0b
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Enigma1crypt@aol.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 6 IoCs
Processes:
Defender_nt32_enu.exetaskhost.exeHelp.exeDefender_nt32_enu.exeBootHelper.exetaskhost.exepid process 2140 Defender_nt32_enu.exe 2700 taskhost.exe 2772 Help.exe 3540 Defender_nt32_enu.exe 4036 BootHelper.exe 3904 taskhost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConnectUnprotect.tiff taskhost.exe File opened for modification C:\Users\Admin\Pictures\ExportShow.tiff taskhost.exe File opened for modification C:\Users\Admin\Pictures\WriteRestore.tiff taskhost.exe -
Sets file execution options in registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Help.exe upx C:\Users\Admin\AppData\Local\Temp\Help.exe upx C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\rm.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect behavioral2/memory/2700-131-0x00000000011B0000-0x0000000001ABB000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\taskhost.exe vmprotect -
Drops startup file 5 IoCs
Processes:
taskhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta taskhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini taskhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe -
Loads dropped DLL 3 IoCs
Processes:
Defender_nt32_enu.exepid process 3540 Defender_nt32_enu.exe 3540 Defender_nt32_enu.exe 3540 Defender_nt32_enu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
taskhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost.exe = "C:\\Windows\\System32\\taskhost.exe" taskhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" taskhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" taskhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini taskhost.exe File opened for modification C:\Users\Public\desktop.ini taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini taskhost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Music\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini taskhost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini taskhost.exe File opened for modification C:\Program Files\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini taskhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini taskhost.exe File opened for modification C:\Program Files (x86)\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini taskhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini taskhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini taskhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini taskhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini taskhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini taskhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
taskhost.exedescription ioc process File created C:\Windows\System32\taskhost.exe taskhost.exe File created C:\Windows\System32\Info.hta taskhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
taskhost.exepid process 2700 taskhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
taskhost.exedescription pid process target process PID 2700 set thread context of 3904 2700 taskhost.exe taskhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNG.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_48x48x32.png taskhost.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-100.png taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Tips_4.jpg taskhost.exe File created C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas_flat_512x512.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-36_altform-unplated_contrast-white.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\FUE2_Image_4.png taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png taskhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-200.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat taskhost.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1 taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS taskhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png taskhost.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png taskhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6440_32x32x32.png taskhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-200.png taskhost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\release.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cz_60x42.png taskhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png taskhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt taskhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.id-A1AF9847.[Enigma1crypt@aol.com].ETH taskhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\diff_match_patch_uwp.dll taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2220 vssadmin.exe 3936 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskhost.exetaskhost.exepid process 2700 taskhost.exe 2700 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe 3904 taskhost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
taskhost.exepid process 3904 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Help.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 2772 Help.exe Token: SeBackupPrivilege 2680 vssvc.exe Token: SeRestorePrivilege 2680 vssvc.exe Token: SeAuditPrivilege 2680 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Defender_nt32_enu.exepid process 3540 Defender_nt32_enu.exe 3540 Defender_nt32_enu.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exeDefender_nt32_enu.exeDefender_nt32_enu.exetaskhost.exetaskhost.execmd.execmd.exedescription pid process target process PID 500 wrote to memory of 2140 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 500 wrote to memory of 2140 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 500 wrote to memory of 2140 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Defender_nt32_enu.exe PID 500 wrote to memory of 2700 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 500 wrote to memory of 2700 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 500 wrote to memory of 2700 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe taskhost.exe PID 500 wrote to memory of 2772 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 500 wrote to memory of 2772 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 500 wrote to memory of 2772 500 a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe Help.exe PID 2140 wrote to memory of 3540 2140 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 2140 wrote to memory of 3540 2140 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 2140 wrote to memory of 3540 2140 Defender_nt32_enu.exe Defender_nt32_enu.exe PID 3540 wrote to memory of 4036 3540 Defender_nt32_enu.exe BootHelper.exe PID 3540 wrote to memory of 4036 3540 Defender_nt32_enu.exe BootHelper.exe PID 3540 wrote to memory of 4036 3540 Defender_nt32_enu.exe BootHelper.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 2700 wrote to memory of 3904 2700 taskhost.exe taskhost.exe PID 3904 wrote to memory of 2084 3904 taskhost.exe cmd.exe PID 3904 wrote to memory of 2084 3904 taskhost.exe cmd.exe PID 2084 wrote to memory of 2780 2084 cmd.exe mode.com PID 2084 wrote to memory of 2780 2084 cmd.exe mode.com PID 2084 wrote to memory of 3936 2084 cmd.exe vssadmin.exe PID 2084 wrote to memory of 3936 2084 cmd.exe vssadmin.exe PID 3904 wrote to memory of 2564 3904 taskhost.exe cmd.exe PID 3904 wrote to memory of 2564 3904 taskhost.exe cmd.exe PID 2564 wrote to memory of 1040 2564 cmd.exe mode.com PID 2564 wrote to memory of 1040 2564 cmd.exe mode.com PID 3904 wrote to memory of 1260 3904 taskhost.exe mshta.exe PID 3904 wrote to memory of 1260 3904 taskhost.exe mshta.exe PID 3904 wrote to memory of 1500 3904 taskhost.exe mshta.exe PID 3904 wrote to memory of 1500 3904 taskhost.exe mshta.exe PID 2564 wrote to memory of 2220 2564 cmd.exe vssadmin.exe PID 2564 wrote to memory of 2220 2564 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe"C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.sample.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe"C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exe" --bts-container 2140 "C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exeBootHelper.exe --watchdog 3540 --product "ESET AV Remover" 1.2.4.0 10334⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Help.exe"C:\Users\Admin\AppData\Local\Temp\Help.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
6e93ea018a0198715e05a4c17ba704d1
SHA18cd377518d77185325e974b6ba2256bf601a7c93
SHA25640b15992634685485b621227e407209af154543ec41506f5ecaf848c7b2cd737
SHA512ae94c3c7689c6c1d502e89f251f0156eaa1a79568e3c309b426e7e29450d0443b7733501d599cf935324ff1e723780af18b3985bcdd3516b082ba983be3c69d6
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exeMD5
ba0b09dad5e153c834c26b5a6f31d48a
SHA1e2da0e129de497e3abc2403163a144af6c2595f0
SHA2560d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83
SHA5128ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6
-
C:\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
C:\Users\Admin\AppData\Local\Temp\Help.exeMD5
84971d908283a08b10b07eae9ef66afa
SHA19d080494406ded19539ca8c2491e2c7dfcdf752d
SHA256414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3
SHA5124d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\AppRemover_API.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exeMD5
c23d20846bc85f9c3c689e77d9d18e7c
SHA1ec4d88abef56670bce95ad964a48efb9b2a44950
SHA2560fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b
SHA512c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\BootHelper.exeMD5
c23d20846bc85f9c3c689e77d9d18e7c
SHA1ec4d88abef56670bce95ad964a48efb9b2a44950
SHA2560fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b
SHA512c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exeMD5
ff4877b3b99e0ff3986eeadf61d49675
SHA1bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f
SHA25661d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a
SHA5125ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\Defender_nt32_enu.exeMD5
ff4877b3b99e0ff3986eeadf61d49675
SHA1bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f
SHA25661d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a
SHA5125ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\avrsrv.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\eset.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\exclusions.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaapi.dllMD5
2acb7f98aa264ce6e25b447e9478275e
SHA1537549c96f4259ac78462523e65719ab58c8d98f
SHA256a0cd9390e76389f5215ae46eb09b3870d29959b97ccfb240664cf85df948e424
SHA51284bc612cac5e2c43a4154b37efb8cacda6f212fc31a9b687325c6402c543919c49c93ab05c140dd5d9c560d564b3bc12c3827fe834d993fb2a901f54059f4af6
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaheap.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwalocal.dllMD5
2a028e877d9a8f5822e514d7d757279f
SHA1a68b3b5acffb8b177cf108c9d166d76cd6c3f80d
SHA256ad0bd4b6e087e1877f5fc151de6c325793b733081f757230989114e0803f9811
SHA5123df3ed4b2160a132d1002ed0395639c567f289a3d524f24a550c3ad6568b5e9e20547a351fd87affd3166fd946ae2cdd4705ffef630eb98e56e14bad83d5ebdf
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwaresource.dllMD5
807867f1871b7e97b8bc52480654ad9c
SHA1bb42806ff8eb40fd4856b9bd0e2ec4d212fe5937
SHA2563c613b7698db2e6d73c23a7fd55f467026e3ff30693bf2c41a202d01d6606f45
SHA5121d75501f3db1cba96f96b64f300dbd7f95a0669f2f393f3761ba8a3c66e10249bb401f9d3a527359b757a3b458706c510005b3e5526798074cd212217407cf1c
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\libwautils.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\license.cfgMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgAVRemover.dllMD5
099e32e5a8c23f0f7e747dd1e5b3aa5b
SHA1f5941e7701c1ff354578b315d0162f4ea531eab7
SHA256332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b
SHA5121feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgSciterBase.dllMD5
2901655c576f2b4679e9cc87c534acc8
SHA1ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11
SHA2563baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729
SHA5121ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\rm.exeMD5
624da61f2906b55ca48e781ffb9272b4
SHA189d2bb54c53f4fde78394d299430fe4a8bc23de2
SHA2563347c224698036e6f3ce5a8caab60aa05451406d9fe7d65492b948693f34d8e1
SHA51207887b50320d37b0f107c1753137b99d7cda585e5c0a58de3683f4fc50ecef3fc01375cc1ce27704ae4cb0073aa776c94d043b870d1bfcac553fec5b01eac0c9
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\sciter-x.dllMD5
bb34a6a2d76959afa73374e94c2ed122
SHA198f166919626114be5365f9d8ada703669286921
SHA25669db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63
SHA512fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e
-
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\script.datMD5
f19e9efccb1365ac5433f5b7e40194b6
SHA16a823f1f8e8d50626a9b48cae60927c1a71a61a3
SHA256feb39b0af17fde2bfca8b0ae3edf984d4c64ef71f0f9237f68f361f2823f9f2a
SHA512c54daacdfaec21791899d1fe56ec0ff4e584971147a80c98f339ab77125060b632f9afde67f1ada2d75a4de179e32e8d3a05c1f0e6efcaa0f8eb122f7087179b
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exeMD5
bde189d41dc7594fb6ab5e3fee659b0e
SHA1fa8739b6734f4bca949c94242e922aba730bac88
SHA256703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
SHA512a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
6e93ea018a0198715e05a4c17ba704d1
SHA18cd377518d77185325e974b6ba2256bf601a7c93
SHA25640b15992634685485b621227e407209af154543ec41506f5ecaf848c7b2cd737
SHA512ae94c3c7689c6c1d502e89f251f0156eaa1a79568e3c309b426e7e29450d0443b7733501d599cf935324ff1e723780af18b3985bcdd3516b082ba983be3c69d6
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgAVRemover.dllMD5
099e32e5a8c23f0f7e747dd1e5b3aa5b
SHA1f5941e7701c1ff354578b315d0162f4ea531eab7
SHA256332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b
SHA5121feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\plgSciterBase.dllMD5
2901655c576f2b4679e9cc87c534acc8
SHA1ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11
SHA2563baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729
SHA5121ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4
-
\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-451C-E543-E2E5-66C2812C4AF1}\sciter-x.dllMD5
bb34a6a2d76959afa73374e94c2ed122
SHA198f166919626114be5365f9d8ada703669286921
SHA25669db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63
SHA512fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e
-
memory/1040-165-0x0000000000000000-mapping.dmp
-
memory/1260-166-0x0000000000000000-mapping.dmp
-
memory/1500-167-0x0000000000000000-mapping.dmp
-
memory/2084-143-0x0000000000000000-mapping.dmp
-
memory/2140-114-0x0000000000000000-mapping.dmp
-
memory/2220-168-0x0000000000000000-mapping.dmp
-
memory/2564-164-0x0000000000000000-mapping.dmp
-
memory/2700-130-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/2700-132-0x0000000000940000-0x00000000009EE000-memory.dmpFilesize
696KB
-
memory/2700-131-0x00000000011B0000-0x0000000001ABB000-memory.dmpFilesize
9.0MB
-
memory/2700-129-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2700-118-0x0000000000000000-mapping.dmp
-
memory/2772-121-0x0000000000000000-mapping.dmp
-
memory/2780-144-0x0000000000000000-mapping.dmp
-
memory/3540-124-0x0000000000000000-mapping.dmp
-
memory/3904-145-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3904-140-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3904-141-0x000000000040A9D0-mapping.dmp
-
memory/3936-146-0x0000000000000000-mapping.dmp
-
memory/4036-133-0x0000000000000000-mapping.dmp