echelon | 3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894

Analysis

max time kernel
102s
max time network
141s
platform
windows7_x64
resource
win7-20220331-en
submitted
27-03-2022 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
Size

16.2MB
MD5

7bfb2c60019c6b03c7853718d3c24f67
SHA1

390dad7ffe4dbd389f52e6589c98ab77998b7014
SHA256

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894
SHA512

3ea3fbc7184ba03d6bce3eaa9620c2f8962d8a5494c87bde3d3291b9e4d73fab9861a0ef165e40e17b366a6425ce107dbe9e679b63182b633c8b69c1d69bc8cb

Score

10^/10

echelon collection discovery spyware stealer vmprotect

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file

yara_rule
echelon_log_file

Executes dropped EXE 11 IoCs

Processes:

CL_Debug_Log.txtsvchost.exeFile.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1992	CL_Debug_Log.txt
840	svchost.exe
1820	File.exe
568	Helper.exe
912	Helper.exe
1504	Helper.exe
1464	Helper.exe
780	Helper.exe
468	Helper.exe
384	Helper.exe
1780	Helper.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1464-59-0x0000000000370000-0x0000000002404000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect
\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect

Loads dropped DLL 14 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exesvchost.exetaskeng.exeWerFault.exe

pid	process
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
840	svchost.exe
1604	taskeng.exe
1604	taskeng.exe
1760
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
9 ip-api.com
11 api.ipify.org

flow	ioc
7	api.ipify.org
8	api.ipify.org
9	ip-api.com
11	api.ipify.org

AutoIT Executable 22 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1464-59-0x0000000000370000-0x0000000002404000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exesvchost.exe

pid process

1464 3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
840 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Helper.exe

description pid process target process

PID 1464 set thread context of 780 1464 Helper.exe Helper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1608 1820 WerFault.exe File.exe
840 780 WerFault.exe Helper.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe

description	pid	process	target process
PID 1464 set thread context of 780	1464	Helper.exe	Helper.exe

pid	pid_target	process	target process
1608	1820	WerFault.exe	File.exe
840	780	WerFault.exe	Helper.exe

pid	process
1016	schtasks.exe

NTFS ADS 1 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\VFSHTLAO\root\CIMV2	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

pid	process
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

CL_Debug_Log.txtFile.exe

description	pid	process
Token: SeRestorePrivilege	1992	CL_Debug_Log.txt
Token: 35	1992	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1992	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1992	CL_Debug_Log.txt
Token: SeDebugPrivilege	1820	File.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
568	Helper.exe
568	Helper.exe
568	Helper.exe
912	Helper.exe
912	Helper.exe
912	Helper.exe
1464	Helper.exe
1464	Helper.exe
1464	Helper.exe
1504	Helper.exe
1504	Helper.exe
1504	Helper.exe
468	Helper.exe
468	Helper.exe
468	Helper.exe
384	Helper.exe
384	Helper.exe
384	Helper.exe
384	Helper.exe
1780	Helper.exe
1780	Helper.exe
1780	Helper.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
568	Helper.exe
568	Helper.exe
568	Helper.exe
912	Helper.exe
912	Helper.exe
912	Helper.exe
1464	Helper.exe
1464	Helper.exe
1464	Helper.exe
1504	Helper.exe
1504	Helper.exe
1504	Helper.exe
468	Helper.exe
468	Helper.exe
468	Helper.exe
384	Helper.exe
384	Helper.exe
384	Helper.exe
384	Helper.exe
1780	Helper.exe
1780	Helper.exe
1780	Helper.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.execmd.exesvchost.exeFile.exetaskeng.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

description	pid	process	target process
PID 1464 wrote to memory of 1992	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1464 wrote to memory of 1992	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1464 wrote to memory of 1992	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1464 wrote to memory of 1992	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1464 wrote to memory of 1448	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1464 wrote to memory of 1448	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1464 wrote to memory of 1448	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1464 wrote to memory of 1448	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1448 wrote to memory of 1016	1448	cmd.exe	schtasks.exe
PID 1448 wrote to memory of 1016	1448	cmd.exe	schtasks.exe
PID 1448 wrote to memory of 1016	1448	cmd.exe	schtasks.exe
PID 1448 wrote to memory of 1016	1448	cmd.exe	schtasks.exe
PID 1464 wrote to memory of 840	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1464 wrote to memory of 840	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1464 wrote to memory of 840	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1464 wrote to memory of 840	1464	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 840 wrote to memory of 1820	840	svchost.exe	File.exe
PID 840 wrote to memory of 1820	840	svchost.exe	File.exe
PID 840 wrote to memory of 1820	840	svchost.exe	File.exe
PID 840 wrote to memory of 1820	840	svchost.exe	File.exe
PID 1820 wrote to memory of 1608	1820	File.exe	WerFault.exe
PID 1820 wrote to memory of 1608	1820	File.exe	WerFault.exe
PID 1820 wrote to memory of 1608	1820	File.exe	WerFault.exe
PID 1604 wrote to memory of 912	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 912	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 912	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 568	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 568	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 568	1604	taskeng.exe	Helper.exe
PID 568 wrote to memory of 1504	568	Helper.exe	Helper.exe
PID 568 wrote to memory of 1504	568	Helper.exe	Helper.exe
PID 568 wrote to memory of 1504	568	Helper.exe	Helper.exe
PID 912 wrote to memory of 1464	912	Helper.exe	Helper.exe
PID 912 wrote to memory of 1464	912	Helper.exe	Helper.exe
PID 912 wrote to memory of 1464	912	Helper.exe	Helper.exe
PID 1464 wrote to memory of 780	1464	Helper.exe	Helper.exe
PID 1464 wrote to memory of 780	1464	Helper.exe	Helper.exe
PID 1464 wrote to memory of 780	1464	Helper.exe	Helper.exe
PID 1464 wrote to memory of 780	1464	Helper.exe	Helper.exe
PID 1464 wrote to memory of 780	1464	Helper.exe	Helper.exe
PID 780 wrote to memory of 840	780	Helper.exe	WerFault.exe
PID 780 wrote to memory of 840	780	Helper.exe	WerFault.exe
PID 780 wrote to memory of 840	780	Helper.exe	WerFault.exe
PID 1604 wrote to memory of 468	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 468	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 468	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 384	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 384	1604	taskeng.exe	Helper.exe
PID 1604 wrote to memory of 384	1604	taskeng.exe	Helper.exe
PID 468 wrote to memory of 1780	468	Helper.exe	Helper.exe
PID 468 wrote to memory of 1780	468	Helper.exe	Helper.exe
PID 468 wrote to memory of 1780	468	Helper.exe	Helper.exe

outlook_office_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

outlook_win_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

C:\Users\Admin\AppData\Local\Temp\3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
"C:\Users\Admin\AppData\Local\Temp\3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- Creates scheduled task(s)
PID:1016

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1820 -s 1736
4⤵
- Program crash
PID:1608

C:\Windows\system32\taskeng.exe
taskeng.exe {7BBC5388-091D-4387-BF04-27991F89A3B7} S-1-5-21-3422572840-2899912402-917774768-1000:VFSHTLAO\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck16413
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 780 -s 104
5⤵
- Loads dropped DLL
- Program crash
PID:840

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck16413
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck16413
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe
Filesize
6.7MB

MD5
c22705f33a214db9ccdee9fbb696bf2a

SHA1
b11f5c2fa72a798e36075e39e1b98fb943c981c8

SHA256
cc6302736ef57f3272d0e3985237e3f036e4a1e13d4c544b3a4b9db936b4b921

SHA512
a859661e8cbc3cd6c1d795f3ff17f0d395ccfd4fc742742e4d2543b29d5ddaded8821939b03cad2e1bc561f97648ce3fa2dfd72800b7f0026b994558b22d571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
Filesize
12.8MB

MD5
c938bda404fbd5d92ac21dcaf8fe7eda

SHA1
6325026f78525c30e7b31615165c85959ae9ac77

SHA256
031aa7d442360d4a9a58388aa79fcc6bd7c95b595bdb3abc8d3f36b2f014d071

SHA512
dbbdd810780107645dc033d0cc9e89a607cdf074d23a64898e483a1125157221e760d9fa65e973e1c5909d0aff21ebc0fde6b6c582ccec86aebe18315abafb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
faed883653d647ae728833df23e87ebe

SHA1
18864e7e0076e3707a387fad1093c1415791459a

SHA256
166c38e743aafe35c3f812bfa4dfe38e34ee45aaa5fae7eb0db7451dbe2d0bb9

SHA512
633a7683004bea836f2eaa922f270df42a69f7676afe46cf9ea178df894fe134feba6f1704f4fd72ca9b9278f6df6c22c1a4ce939252f10eac9ed731f66008dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
faed883653d647ae728833df23e87ebe

SHA1
18864e7e0076e3707a387fad1093c1415791459a

SHA256
166c38e743aafe35c3f812bfa4dfe38e34ee45aaa5fae7eb0db7451dbe2d0bb9

SHA512
633a7683004bea836f2eaa922f270df42a69f7676afe46cf9ea178df894fe134feba6f1704f4fd72ca9b9278f6df6c22c1a4ce939252f10eac9ed731f66008dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
faed883653d647ae728833df23e87ebe

SHA1
18864e7e0076e3707a387fad1093c1415791459a

SHA256
166c38e743aafe35c3f812bfa4dfe38e34ee45aaa5fae7eb0db7451dbe2d0bb9

SHA512
633a7683004bea836f2eaa922f270df42a69f7676afe46cf9ea178df894fe134feba6f1704f4fd72ca9b9278f6df6c22c1a4ce939252f10eac9ed731f66008dd

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
memory/384-123-0x0000000000000000-mapping.dmp

Download
memory/468-122-0x0000000000000000-mapping.dmp

Download
memory/568-97-0x000007FEFBD51000-0x000007FEFBD53000-memory.dmp

Filesize
8KB

Download
memory/568-94-0x0000000000000000-mapping.dmp

Download
memory/780-108-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/780-113-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/780-109-0x000000000012D730-mapping.dmp

Download
memory/780-106-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/840-81-0x0000000075900000-0x0000000075901000-memory.dmp

Filesize
4KB

Download
memory/840-72-0x0000000000000000-mapping.dmp

Download
memory/840-83-0x0000000002081000-0x0000000002083000-memory.dmp

Filesize
8KB

Download
memory/840-114-0x0000000000000000-mapping.dmp

Download
memory/912-93-0x0000000000000000-mapping.dmp

Download
memory/1016-67-0x0000000000000000-mapping.dmp

Download
memory/1448-66-0x0000000000000000-mapping.dmp

Download
memory/1464-103-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1464-59-0x0000000000370000-0x0000000002404000-memory.dmp

Filesize
32.6MB

Download
memory/1464-55-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1464-57-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1504-100-0x0000000000000000-mapping.dmp

Download
memory/1608-90-0x0000000000000000-mapping.dmp

Download
memory/1780-128-0x0000000000000000-mapping.dmp

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1820-88-0x0000000000FF0000-0x0000000001118000-memory.dmp

Filesize
1.2MB

Download
memory/1820-89-0x000000001C1D0000-0x000000001C1D2000-memory.dmp

Filesize
8KB

Download
memory/1992-62-0x0000000000000000-mapping.dmp

Download