echelon | 3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894

Analysis

max time kernel
161s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
27-03-2022 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
Size

16.2MB
MD5

7bfb2c60019c6b03c7853718d3c24f67
SHA1

390dad7ffe4dbd389f52e6589c98ab77998b7014
SHA256

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894
SHA512

3ea3fbc7184ba03d6bce3eaa9620c2f8962d8a5494c87bde3d3291b9e4d73fab9861a0ef165e40e17b366a6425ce107dbe9e679b63182b633c8b69c1d69bc8cb

Score

10^/10

echelon collection discovery spyware stealer vmprotect

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file

yara_rule
echelon_log_file

Executes dropped EXE 18 IoCs

Processes:

CL_Debug_Log.txtsvchost.exeFile.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
3500	CL_Debug_Log.txt
1032	svchost.exe
3536	File.exe
1220	Helper.exe
4340	Helper.exe
1532	Helper.exe
1440	Helper.exe
2796	Helper.exe
4140	Helper.exe
4404	Helper.exe
804	Helper.exe
2584	Helper.exe
3464	Helper.exe
768	Helper.exe
2168	Helper.exe
4828	Helper.exe
3924	Helper.exe
4872	Helper.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1896-124-0x0000000000260000-0x00000000022F4000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\svchost.exe	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeHelper.exeHelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	Helper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	Helper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
10 api.ipify.org
14 ip-api.com

flow	ioc
8	api.ipify.org
9	api.ipify.org
10	api.ipify.org
14	ip-api.com

AutoIT Executable 19 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1896-124-0x0000000000260000-0x00000000022F4000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exesvchost.exe

pid process

1896 3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1032 svchost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

Helper.exe

description	pid	process	target process
PID 4340 set thread context of 1532	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 1440	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 2796	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 4140	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 4404	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 3464	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 768	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 2168	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 4828	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 3924	4340	Helper.exe	Helper.exe
PID 4340 set thread context of 4872	4340	Helper.exe	Helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2604	1532	WerFault.exe	Helper.exe
3876	1440	WerFault.exe	Helper.exe
1768	2796	WerFault.exe	Helper.exe
4276	4140	WerFault.exe	Helper.exe
1088	4404	WerFault.exe	Helper.exe
3012	3464	WerFault.exe	Helper.exe
3440	768	WerFault.exe	Helper.exe
4236	2168	WerFault.exe	Helper.exe
1844	4828	WerFault.exe	Helper.exe
3500	3924	WerFault.exe	Helper.exe
3052	4872	WerFault.exe	Helper.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4676 schtasks.exe

pid	process
4676	schtasks.exe

NTFS ADS 1 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\SFMEETFT\root\CIMV2	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

pid	process
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

CL_Debug_Log.txtFile.exe

description	pid	process
Token: SeRestorePrivilege	3500	CL_Debug_Log.txt
Token: 35	3500	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3500	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3500	CL_Debug_Log.txt
Token: SeDebugPrivilege	3536	File.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1220	Helper.exe
1220	Helper.exe
1220	Helper.exe
4340	Helper.exe
4340	Helper.exe
4340	Helper.exe
804	Helper.exe
804	Helper.exe
804	Helper.exe
2584	Helper.exe
2584	Helper.exe
2584	Helper.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
1220	Helper.exe
1220	Helper.exe
1220	Helper.exe
4340	Helper.exe
4340	Helper.exe
4340	Helper.exe
804	Helper.exe
804	Helper.exe
804	Helper.exe
2584	Helper.exe
2584	Helper.exe
2584	Helper.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.execmd.exesvchost.exeHelper.exeHelper.exeHelper.exe

description	pid	process	target process
PID 1896 wrote to memory of 3500	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1896 wrote to memory of 3500	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1896 wrote to memory of 3500	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	CL_Debug_Log.txt
PID 1896 wrote to memory of 1916	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1896 wrote to memory of 1916	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1896 wrote to memory of 1916	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	cmd.exe
PID 1916 wrote to memory of 4676	1916	cmd.exe	schtasks.exe
PID 1916 wrote to memory of 4676	1916	cmd.exe	schtasks.exe
PID 1916 wrote to memory of 4676	1916	cmd.exe	schtasks.exe
PID 1896 wrote to memory of 1032	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1896 wrote to memory of 1032	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1896 wrote to memory of 1032	1896	3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe	svchost.exe
PID 1032 wrote to memory of 3536	1032	svchost.exe	File.exe
PID 1032 wrote to memory of 3536	1032	svchost.exe	File.exe
PID 1220 wrote to memory of 4340	1220	Helper.exe	Helper.exe
PID 1220 wrote to memory of 4340	1220	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1532	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1532	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1532	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1532	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1440	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1440	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1440	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 1440	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2796	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2796	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2796	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2796	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4140	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4140	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4140	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4140	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4404	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4404	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4404	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4404	4340	Helper.exe	Helper.exe
PID 804 wrote to memory of 2584	804	Helper.exe	Helper.exe
PID 804 wrote to memory of 2584	804	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3464	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3464	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3464	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3464	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 768	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 768	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 768	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 768	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2168	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2168	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2168	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 2168	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4828	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4828	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4828	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4828	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3924	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3924	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3924	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 3924	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4872	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4872	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4872	4340	Helper.exe	Helper.exe
PID 4340 wrote to memory of 4872	4340	Helper.exe	Helper.exe

outlook_office_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

outlook_win_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

C:\Users\Admin\AppData\Local\Temp\3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe
"C:\Users\Admin\AppData\Local\Temp\3316277e7a7f52c5947328ac52fad225295b8c17ddc71bcd0d03cdac6d292894.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- Creates scheduled task(s)
PID:4676

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3536

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck16413
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1532 -s 312
4⤵
- Program crash
PID:2604

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1440 -s 312
4⤵
- Program crash
PID:3876

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2796 -s 320
4⤵
- Program crash
PID:1768

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4140 -s 316
4⤵
- Program crash
PID:4276

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4404 -s 312
4⤵
- Program crash
PID:1088

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3464 -s 312
4⤵
- Program crash
PID:3012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 768 -s 312
4⤵
- Program crash
PID:3440

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2168 -s 312
4⤵
- Program crash
PID:4236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4828 -s 312
4⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3924 -s 312
4⤵
- Program crash
PID:3500

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
3⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4872 -s 312
4⤵
- Program crash
PID:3052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1532 -ip 1532
1⤵
PID:3368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 1440 -ip 1440
1⤵
PID:2532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2796 -ip 2796
1⤵
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 4140 -ip 4140
1⤵
PID:4144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 400 -p 4404 -ip 4404
1⤵
PID:3244

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck16413
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3464 -ip 3464
1⤵
PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 768 -ip 768
1⤵
PID:4668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 2168 -ip 2168
1⤵
PID:2224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 400 -p 4828 -ip 4828
1⤵
PID:500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 400 -p 3924 -ip 3924
1⤵
PID:3444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 180 -p 4872 -ip 4872
1⤵
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe
Filesize
6.7MB

MD5
c22705f33a214db9ccdee9fbb696bf2a

SHA1
b11f5c2fa72a798e36075e39e1b98fb943c981c8

SHA256
cc6302736ef57f3272d0e3985237e3f036e4a1e13d4c544b3a4b9db936b4b921

SHA512
a859661e8cbc3cd6c1d795f3ff17f0d395ccfd4fc742742e4d2543b29d5ddaded8821939b03cad2e1bc561f97648ce3fa2dfd72800b7f0026b994558b22d571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
Filesize
12.8MB

MD5
c938bda404fbd5d92ac21dcaf8fe7eda

SHA1
6325026f78525c30e7b31615165c85959ae9ac77

SHA256
031aa7d442360d4a9a58388aa79fcc6bd7c95b595bdb3abc8d3f36b2f014d071

SHA512
dbbdd810780107645dc033d0cc9e89a607cdf074d23a64898e483a1125157221e760d9fa65e973e1c5909d0aff21ebc0fde6b6c582ccec86aebe18315abafb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
faed883653d647ae728833df23e87ebe

SHA1
18864e7e0076e3707a387fad1093c1415791459a

SHA256
166c38e743aafe35c3f812bfa4dfe38e34ee45aaa5fae7eb0db7451dbe2d0bb9

SHA512
633a7683004bea836f2eaa922f270df42a69f7676afe46cf9ea178df894fe134feba6f1704f4fd72ca9b9278f6df6c22c1a4ce939252f10eac9ed731f66008dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
faed883653d647ae728833df23e87ebe

SHA1
18864e7e0076e3707a387fad1093c1415791459a

SHA256
166c38e743aafe35c3f812bfa4dfe38e34ee45aaa5fae7eb0db7451dbe2d0bb9

SHA512
633a7683004bea836f2eaa922f270df42a69f7676afe46cf9ea178df894fe134feba6f1704f4fd72ca9b9278f6df6c22c1a4ce939252f10eac9ed731f66008dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.2MB

MD5
16ed93946b0c3f987e52f302f26a0384

SHA1
09c563656f9049767d792c4559bdfa836f605486

SHA256
56fd8e067619495fed16251aae6b9e30ae8242fbc88570e385e4a42a5409cd28

SHA512
288901556858eb9a2f30605c14715323020e0c418de799ee80f30b4dd2979c10baa32612b4e9fde2e23eda055852da12a43addad1a4bdeeeb83d63d292d414f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
Filesize
7.2MB

MD5
063693f6b89c378f3c192f3b965b3432

SHA1
cda5f1fa53bca1b670c6c2f1a1144973c77d920b

SHA256
e8e5bf6a02da05cf64393b5116a5cc4663c29ea559b220ef080137b7681defe7

SHA512
e6abba62ada19f70b9f8530bbc34f98ea913d4c0218de731eafcadf2f684b5c48869431f66b76eecb96570381afe36b97024ddcd894c2c2312cae267a941ccb1

Download Submit
memory/768-181-0x000001E601830000-0x000001E601953000-memory.dmp

Filesize
1.1MB

Download
memory/768-185-0x000001E601830000-0x000001E601953000-memory.dmp

Filesize
1.1MB

Download
memory/768-182-0x000001E6018FD730-mapping.dmp

Download
memory/1032-134-0x0000000000000000-mapping.dmp

Download
memory/1440-153-0x000002395F980000-0x000002395FAA3000-memory.dmp

Filesize
1.1MB

Download
memory/1440-154-0x000002395FA4D730-mapping.dmp

Download
memory/1440-157-0x000002395F980000-0x000002395FAA3000-memory.dmp

Filesize
1.1MB

Download
memory/1532-149-0x00000201AFA4D730-mapping.dmp

Download
memory/1532-152-0x00000201AF980000-0x00000201AFAA3000-memory.dmp

Filesize
1.1MB

Download
memory/1532-148-0x00000201AF980000-0x00000201AFAA3000-memory.dmp

Filesize
1.1MB

Download
memory/1896-124-0x0000000000260000-0x00000000022F4000-memory.dmp

Filesize
32.6MB

Download
memory/1916-130-0x0000000000000000-mapping.dmp

Download
memory/2168-187-0x0000023904C8D730-mapping.dmp

Download
memory/2168-186-0x0000023904BC0000-0x0000023904CE3000-memory.dmp

Filesize
1.1MB

Download
memory/2168-190-0x0000023904BC0000-0x0000023904CE3000-memory.dmp

Filesize
1.1MB

Download
memory/2584-174-0x0000000000000000-mapping.dmp

Download
memory/2796-162-0x000001C4F69D0000-0x000001C4F6AF3000-memory.dmp

Filesize
1.1MB

Download
memory/2796-159-0x000001C4F6A9D730-mapping.dmp

Download
memory/2796-158-0x000001C4F69D0000-0x000001C4F6AF3000-memory.dmp

Filesize
1.1MB

Download
memory/3464-180-0x0000024F59C30000-0x0000024F59D53000-memory.dmp

Filesize
1.1MB

Download
memory/3464-177-0x0000024F59CFD730-mapping.dmp

Download
memory/3464-176-0x0000024F59C30000-0x0000024F59D53000-memory.dmp

Filesize
1.1MB

Download
memory/3500-126-0x0000000000000000-mapping.dmp

Download
memory/3536-141-0x00007FFB6ACD0000-0x00007FFB6B791000-memory.dmp

Filesize
10.8MB

Download
memory/3536-143-0x000000001BF90000-0x000000001BFB2000-memory.dmp

Filesize
136KB

Download
memory/3536-137-0x0000000000000000-mapping.dmp

Download
memory/3536-140-0x0000000000060000-0x0000000000188000-memory.dmp

Filesize
1.2MB

Download
memory/3536-142-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/3924-197-0x0000022EC802D730-mapping.dmp

Download
memory/3924-200-0x0000022EC7F60000-0x0000022EC8083000-memory.dmp

Filesize
1.1MB

Download
memory/3924-196-0x0000022EC7F60000-0x0000022EC8083000-memory.dmp

Filesize
1.1MB

Download
memory/4140-164-0x000002D58F14D730-mapping.dmp

Download
memory/4140-163-0x000002D58F080000-0x000002D58F1A3000-memory.dmp

Filesize
1.1MB

Download
memory/4140-167-0x000002D58F080000-0x000002D58F1A3000-memory.dmp

Filesize
1.1MB

Download
memory/4340-146-0x0000000000000000-mapping.dmp

Download
memory/4404-169-0x00000210EB2DD730-mapping.dmp

Download
memory/4404-172-0x00000210EB210000-0x00000210EB333000-memory.dmp

Filesize
1.1MB

Download
memory/4404-168-0x00000210EB210000-0x00000210EB333000-memory.dmp

Filesize
1.1MB

Download
memory/4676-131-0x0000000000000000-mapping.dmp

Download
memory/4828-191-0x000002019DEB0000-0x000002019DFD3000-memory.dmp

Filesize
1.1MB

Download
memory/4828-195-0x000002019DEB0000-0x000002019DFD3000-memory.dmp

Filesize
1.1MB

Download
memory/4828-192-0x000002019DF7D730-mapping.dmp

Download
memory/4872-202-0x000002846A7BD730-mapping.dmp

Download
memory/4872-201-0x000002846A6F0000-0x000002846A813000-memory.dmp

Filesize
1.1MB

Download
memory/4872-205-0x000002846A6F0000-0x000002846A813000-memory.dmp

Filesize
1.1MB

Download