dharma | a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe
Size

14.1MB
MD5

d35fa59ce558fe08955ce0e807ce07d0
SHA1

3fa0e015acddad634f9f362099f3d79683159726
SHA256

a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
SHA512

b1965eea1ed6c77979c79acf893cd2ac2dbfa898b870f76d9ab59936ac5cf5c0995db9d98addfa72e6c1b2b304d6b021b9be89458a5b82ea6ff9f5014c8f9d0b
SSDEEP

393216:SJVjSCChYtRVGv6EN7Qix2RM9UV+IkRq9+9lZDGfcsWNM3ZjX9VZ:SJVWhGyN79x5UV+IkAIHhn+pLZ

Score

10^/10

dharma defense_evasion discovery execution impact persistence ransomware spyware stealer upx vmprotect

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 75EA6AF3 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (567) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Help.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled"	Help.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002aa4e-19387.dat	acprotect

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	taskhost.exe

Executes dropped EXE 7 IoCs

pid	Process
1884	Defender_nt32_enu.exe
1868	taskhost.exe
896	Help.exe
4316	Defender_nt32_enu.exe
2008	BootHelper.exe
4020	taskhost.exe
6008	avrsrv.exe

Loads dropped DLL 7 IoCs

pid	Process
4316	Defender_nt32_enu.exe
4316	Defender_nt32_enu.exe
4316	Defender_nt32_enu.exe
6008	avrsrv.exe
6008	avrsrv.exe
6008	avrsrv.exe
6008	avrsrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002aa41-27.dat	upx
behavioral1/memory/896-34-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/896-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/6008-19470-0x0000000072D70000-0x0000000072DD2000-memory.dmp	upx
behavioral1/files/0x000100000002aa4e-19387.dat	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b000000028cee-17.dat	vmprotect
behavioral1/memory/1868-81-0x0000000000D50000-0x000000000165B000-memory.dmp	vmprotect
behavioral1/memory/1868-84-0x0000000000D50000-0x000000000165B000-memory.dmp	vmprotect
behavioral1/memory/1868-149-0x0000000000D50000-0x000000000165B000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost.exe = "C:\\Windows\\System32\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	taskhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3001105534-2705918504-2956618779-1000\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	taskhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3001105534-2705918504-2956618779-1000\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	taskhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Info.hta	taskhost.exe
File created	C:\Windows\System32\taskhost.exe	taskhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1868	taskhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 4020	1868	taskhost.exe	86

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\extendComponent.js	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpLargeTile.scale-200.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png	taskhost.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_wer.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\CHANGELOG.md	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms	taskhost.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-default.svg	taskhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-200.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	taskhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_no.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\et-EE\PAD.Console.Host.resources.dll	taskhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css	taskhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\ui-strings.js.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\MSFT_PackageManagementSource.psm1	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireWideTile.scale-100_contrast-black.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-150_contrast-white.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\lt.pak.DATA	taskhost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\psuser_64.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-125_contrast-white.png	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png	taskhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sk.pak	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms	taskhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll	taskhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-20.png	taskhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll	taskhost.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.id-75EA6AF3.[[email protected]].ETH	taskhost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL.id-75EA6AF3.[[email protected]].ETH	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5720	vssadmin.exe
8356	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	avrsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	avrsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	avrsrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	taskhost.exe
1868	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4020	taskhost.exe
4316	Defender_nt32_enu.exe
4316	Defender_nt32_enu.exe
4020	taskhost.exe
4020	taskhost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4020	taskhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	896	Help.exe
Token: SeBackupPrivilege	5900	vssvc.exe
Token: SeRestorePrivilege	5900	vssvc.exe
Token: SeAuditPrivilege	5900	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4316	Defender_nt32_enu.exe
4316	Defender_nt32_enu.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1884	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	79
PID 4884 wrote to memory of 1884	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	79
PID 4884 wrote to memory of 1884	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	79
PID 4884 wrote to memory of 1868	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	82
PID 4884 wrote to memory of 1868	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	82
PID 4884 wrote to memory of 1868	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	82
PID 4884 wrote to memory of 896	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	83
PID 4884 wrote to memory of 896	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	83
PID 4884 wrote to memory of 896	4884	a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe	83
PID 1884 wrote to memory of 4316	1884	Defender_nt32_enu.exe	84
PID 1884 wrote to memory of 4316	1884	Defender_nt32_enu.exe	84
PID 1884 wrote to memory of 4316	1884	Defender_nt32_enu.exe	84
PID 4316 wrote to memory of 2008	4316	Defender_nt32_enu.exe	85
PID 4316 wrote to memory of 2008	4316	Defender_nt32_enu.exe	85
PID 4316 wrote to memory of 2008	4316	Defender_nt32_enu.exe	85
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 1868 wrote to memory of 4020	1868	taskhost.exe	86
PID 4020 wrote to memory of 3276	4020	taskhost.exe	87
PID 4020 wrote to memory of 3276	4020	taskhost.exe	87
PID 3276 wrote to memory of 3600	3276	cmd.exe	89
PID 3276 wrote to memory of 3600	3276	cmd.exe	89
PID 3276 wrote to memory of 5720	3276	cmd.exe	90
PID 3276 wrote to memory of 5720	3276	cmd.exe	90
PID 4316 wrote to memory of 6008	4316	Defender_nt32_enu.exe	94
PID 4316 wrote to memory of 6008	4316	Defender_nt32_enu.exe	94
PID 4316 wrote to memory of 6008	4316	Defender_nt32_enu.exe	94
PID 4020 wrote to memory of 652	4020	taskhost.exe	96
PID 4020 wrote to memory of 652	4020	taskhost.exe	96
PID 652 wrote to memory of 3672	652	cmd.exe	98
PID 652 wrote to memory of 3672	652	cmd.exe	98
PID 4020 wrote to memory of 9144	4020	taskhost.exe	99
PID 4020 wrote to memory of 9144	4020	taskhost.exe	99
PID 652 wrote to memory of 8356	652	cmd.exe	100
PID 652 wrote to memory of 8356	652	cmd.exe	100
PID 4020 wrote to memory of 5224	4020	taskhost.exe	101
PID 4020 wrote to memory of 5224	4020	taskhost.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe
"C:\Users\Admin\AppData\Local\Temp\a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe
  "C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\Defender_nt32_enu.exe
    "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\Defender_nt32_enu.exe" --bts-container 1884 "C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\BootHelper.exe
      BootHelper.exe --watchdog 4316 --product "ESET AV Remover" 1.2.4.0 1033
      4⤵
      Executes dropped EXE
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\avrsrv.exe
      C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\avrsrv.exe -p ncalrpc -e ESET-AVRemover-Server
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:6008
- C:\Users\Admin\AppData\Local\Temp\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:3600
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:3672
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:8356
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:9144
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:5224
- C:\Users\Admin\AppData\Local\Temp\Help.exe
  "C:\Users\Admin\AppData\Local\Temp\Help.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:6676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-75EA6AF3.[[email protected]].ETH

Filesize
3.2MB

MD5
e15b70888eb38703a921c7cfe23edabd

SHA1
ac94aebbef1a98eb3daf3db92e9cf8b777c2186f

SHA256
018684efb53f05ae52f71d39d91c55ded841af3cb4530dd844f811bef43bf41c

SHA512
5e5ecc92d71db24b51af9da746d39cfaab560ae49ed87b2edc4f21890ee8fccf5a62540a590f46ba5e8f345a11ef301036ecc5bbc0cd0c65095b9b0d63dec6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
12a1cb157bc305bd2f30dc896d1b00a1

SHA1
a2fd5cd458980c3f1a9400af38712a232e8e2455

SHA256
91934947c3032cfa5f0dd352c5a999412b11e3bf8dc43c5a6668d506df85f253

SHA512
e802f0e710c11b609b07a10d647c75fa90794c056d4eb11d9b75c8bf98d166024234d3f5ef6f2c563a68c680eb6d12e8941317ae9caf9d924c2daf91c361a767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender_nt32_enu.exe

Filesize
8.4MB

MD5
ba0b09dad5e153c834c26b5a6f31d48a

SHA1
e2da0e129de497e3abc2403163a144af6c2595f0

SHA256
0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83

SHA512
8ac76c9a075ed7037ec281c4812691a9c139c593ae8a50b5dc6b70008e7c5a74986a4177b7d917ab9c4a69330c2abba5eafbb3dda53f05c679525537c4c687a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help.exe

Filesize
17KB

MD5
84971d908283a08b10b07eae9ef66afa

SHA1
9d080494406ded19539ca8c2491e2c7dfcdf752d

SHA256
414e1e832212df674b5951323ad1618b80d086f0cf2f14f26c48c824513747a3

SHA512
4d1482461293f2b36ad698b8942507c654eb0e313375953cd798495319dcf63175ce52b81fff87574a76220806d201a5a63fcd7e5830534e6e0cded5692d2630

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\AppRemover_API.dll

Filesize
152KB

MD5
58d4d11f2054366e857f95bc90afd154

SHA1
c51c07507312ca1fbe8a561df0c9b04598f4517f

SHA256
17cfcc54ef4b5a383923e37b18260830d32bd059a5df19eb0e2c9c2f675cc340

SHA512
55fae7480350be31eb44ae3e924146a3cfece73913fb76748e5923fdcde9765169ce0797271a6610b4b06e22075da7e6e67a386bb2b8bfa7bc5064b03cc78684

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\BootHelper.exe

Filesize
323KB

MD5
c23d20846bc85f9c3c689e77d9d18e7c

SHA1
ec4d88abef56670bce95ad964a48efb9b2a44950

SHA256
0fcd9e15b5f88597b72855c8e01757bdb63f45a48e302cb38c96d919ff52a94b

SHA512
c4e958dd9f37341a231225688456e8077bd949b320058b1ba1ccc1ca003b1d6b9bf2c39dd503b843cd103b333003f56b7ddaf1b7a2023a36ce9fc01ee8359b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\Defender_nt32_enu.exe

Filesize
1.2MB

MD5
ff4877b3b99e0ff3986eeadf61d49675

SHA1
bd4561f9d16e04fa8a4bbaf09026b6819c9a7c1f

SHA256
61d02a7cbeb2bd9c555b9df2ea9b65f8fe079ea04a128d7b59279dd58ff43b5a

SHA512
5ec3dc666c74a2d17e9e9cecf83ddca0d932c21a45cb64c1f02786529d4132ce49435c349e186056b3927d98889909a814337862246e570f8acd6f7eabfb8f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\avrsrv.exe

Filesize
219KB

MD5
411c9041b4dfce01232fc161b05b8c46

SHA1
50489d9e4fcc317934bab4acfe65b2c97e63e47d

SHA256
bccacff1f710f95c8d41e53c384023d96ff6e7b525f5f3747c5ac683f559c642

SHA512
70d21ae0cb2f9279af995cdad71e13d2a9b81b878fa03e28e4305f8b32b89407a0e0ae2b5f8a36ee668a77af078fa3943dc82806cb2e6fe86d20e7e1bdccd202

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\libwaapi.dll

Filesize
628KB

MD5
fd185f814968e5d03c361514e81bf111

SHA1
8e07302f562779b8f377e99ebb330b376faf986f

SHA256
28c5d6259ea4738885e1e75464a0e533f63b1200139c1d519bce0de3d9a5688c

SHA512
6e2af21d5f7edd7d5c3a02a1bc195d15e26431d8965c3324ccca7dbd917337f65695d0d8857fd195700ac8e20be494ac673163529d9df5cb25ebf9ec94ee2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\libwaheap.dll

Filesize
76KB

MD5
edb463dc699d37683cf27cd1730829c9

SHA1
52070147fcdfc8f4d48ce7cd6a6cbecac7527b81

SHA256
7dba435b0444e740ec0e1b6441d62abe2f02d7772d07ac4f9655699542d242c8

SHA512
ef7590fd3a161d125e21f76884cf28d1261792ed43cefcfbf23647705dc8926f24fc8ce019f1a69df44f2aa6783dd5d549f0adf9b3688aebff3f63da1444032d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\libwalocal.dll

Filesize
64KB

MD5
5046fccb39e9d328e5f26126c65fce62

SHA1
a24661d5d73e0eb00729d5aaa5b4dc83dc28d548

SHA256
7d3e617e1ccce80a66198e49663561b771b675f39c0aac7688bf77fd3af9bc65

SHA512
467a11a8a20052657f2875b21703e476e127cfe054aed12bff7add3a736ce5ad8f023979d32b64a010ea70d0cf250c6a40fb0a85601830d25581c8a8e8ed16fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\libwaresource.dll

Filesize
2.9MB

MD5
74d1e20c9793157b3185e6e6efca934d

SHA1
70ca189b8d9d563b7c6fb19b48146910063c2e97

SHA256
f2422e300dc16aac8599c113034e3f5f1080faaeb15867c23eea6ef7c113f30e

SHA512
2c88e32fc8a676abab01311ef03ae1128429dc2af8975935f37e4b167af2546aeb90fde223ff91cc52d3474fab4841a32667ef66237dece68a09f474281fbd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\libwautils.dll

Filesize
1.3MB

MD5
07cbd79ed6fd0e79bcaf84e96e987715

SHA1
21d79c0e74aa7a1b4eec65746ff6dde79939a2f6

SHA256
3bdb27712e9682c245b035155fbf1fb44d2f6d70331a7e55c1b2cab9da6c91e9

SHA512
bf9d02e4f5a471171a2e7ae9985c8d87f33516fdd6155769de2db5feb52ef71370d592fe88eff58102f566689d6919cbc0537ba68f6de0f37bd35d23608addbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\license.cfg

Filesize
6KB

MD5
9f76ed45b24f4707bf58fab9e66e6615

SHA1
20a2fc20b47a90b479a84e5d1143e76a0ea35356

SHA256
4689361d9ceae057683db850ab0d6827f212ab0c55194d2a2c45347f8786b177

SHA512
e5eaaa1dc11923e21d344acb2363ee2126c012a1326408ecb378cf2a2e9d1acc840e3ad0a88449fd279075141122f9a72b0c7f6c321db249f85703d1bc47c8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\plgAVRemover.dll

Filesize
659KB

MD5
099e32e5a8c23f0f7e747dd1e5b3aa5b

SHA1
f5941e7701c1ff354578b315d0162f4ea531eab7

SHA256
332e6e1c1ca1ea97308fb44d5defd0ce2d44434dc08b3295e76499dc4fbe587b

SHA512
1feb3dbe72f1fda68e4b44427cefcb180aecfeda508e5cfdb2caf53bc2014b98754c4a4b483cc01608686da05e73fde38ec7e74df3ea2d27d92300d88f02716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\plgSciterBase.dll

Filesize
1.5MB

MD5
2901655c576f2b4679e9cc87c534acc8

SHA1
ae4ac9e0f4d22e6c1efec6affb6bb11be2865a11

SHA256
3baeb1232a22b39ae20d89f9dc61ca6754632bacaf4385d6c76729becf1ae729

SHA512
1ec9176f33c8734d74d000a545da32faee73e1de3b9ffe5eb54725c875826466f6d853427cdfa45368cf709eec58e4202cbe5232968e62df0158f78c407d1fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-AD32-DEF4-2AAE-45C3F9224AFE}\sciter-x.dll

Filesize
3.1MB

MD5
bb34a6a2d76959afa73374e94c2ed122

SHA1
98f166919626114be5365f9d8ada703669286921

SHA256
69db7c82c147c5371d556fed5c0c0b44252b474298b0be09bc4b42cdc0c15f63

SHA512
fd8af05d8fce222deb1bb4a2dcaf9d69c322f6e62f117680250a4575d221686c7e913db35c41799fe246feddca283e0df9afa502b4fa91d624a3dd0533a27f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
5.5MB

MD5
bde189d41dc7594fb6ab5e3fee659b0e

SHA1
fa8739b6734f4bca949c94242e922aba730bac88

SHA256
703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe

SHA512
a321cd45efe2a430f88c488ef4af47ae5401cdbeef162c04449126ae2e9da0493613dffcbfcb70d5fc002b53d3a6494cd4851026e7d1393f5e8409c8a878bd8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3001105534-2705918504-2956618779-1000\0f5007522459c86e95ffcc62f32308f1_8098baf9-5396-4c49-9aab-29547c63ed8c.id-75EA6AF3.[[email protected]].ETH

Filesize
398B

MD5
a9610761819fd800827a796cf15612f3

SHA1
be8c17b3d1e2eb7f7b45f88721ecc7ece44a1c66

SHA256
7caf487a3bdf5e3ff9f1aa743f8fae40f7b159d78f8e332ee02353013062d27e

SHA512
86f873d2cf164a29fc1b08fc9b485065d2b4108cc1ac77f96e971938f58c8d3b8eff0acab8269a56ddd9347deffadd0dc0e91695cb26ac5c39d1b9a2be269163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
d187d49cb719a464c2b964b6db7dcfe6

SHA1
fc569685b41163fe123175600d75449e294dc982

SHA256
1ad7cc8940cf45401c66b123ed997239c17b1b69459cabf4439f387a843cca9d

SHA512
666ea6f0c62e73dea57048984200906f670f53886202139d1c01f6b8c1948f228d0cea5dced6401f0b2a30b4df8fd6509ef4e78d7fb451a53ab7c6573dca8839

Download Submit
memory/896-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/896-34-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1868-82-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1868-105-0x0000000000D9D000-0x00000000010D5000-memory.dmp

Filesize
3.2MB

Download
memory/1868-72-0x0000000000D9D000-0x00000000010D5000-memory.dmp

Filesize
3.2MB

Download
memory/1868-81-0x0000000000D50000-0x000000000165B000-memory.dmp

Filesize
9.0MB

Download
memory/1868-83-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1868-84-0x0000000000D50000-0x000000000165B000-memory.dmp

Filesize
9.0MB

Download
memory/1868-149-0x0000000000D50000-0x000000000165B000-memory.dmp

Filesize
9.0MB

Download
memory/4020-115-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-116-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-113-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-114-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-102-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-109-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4020-104-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6008-19470-0x0000000072D70000-0x0000000072DD2000-memory.dmp

Filesize
392KB

Download