Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
ezhelpsetup.exe
Resource
win7-20231215-en
General
-
Target
ezhelpsetup.exe
-
Size
9.6MB
-
MD5
ae8c9e21fbd3596440e993f15d93309a
-
SHA1
65939be0a8d7683e3f7a1cb82ade1dd6c93e4666
-
SHA256
e8af8bbf0e4f6bfbf3f6cc0a86b533dbe23be7e286b37c6c90ca293331d08de8
-
SHA512
548e0f106305b2beb4558765852122ef02a3564ff95f3d813969c2fa4c1353bd6bab421536cccb36470e35e112e96e7812f3a80c2530e4deaf8c51e4c063e30b
-
SSDEEP
196608:4g/VhdnBdl9MytypjpMwdyMLbzs9ubeI63ClNPs9xJF:4gRdQjKwdW9m63mNsz
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2652 ezhelpsetup.tmp 688 ezHelpManager.exe 2468 ezHelpManager.exe -
Loads dropped DLL 14 IoCs
pid Process 1636 ezhelpsetup.exe 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 688 ezHelpManager.exe 688 ezHelpManager.exe 688 ezHelpManager.exe 2468 ezHelpManager.exe 2468 ezHelpManager.exe 2468 ezHelpManager.exe 2468 ezHelpManager.exe -
resource yara_rule behavioral1/files/0x000500000001952a-73.dat upx behavioral1/memory/688-99-0x0000000000820000-0x000000000091B000-memory.dmp upx behavioral1/memory/2468-111-0x0000000000820000-0x000000000091B000-memory.dmp upx behavioral1/memory/688-106-0x0000000000820000-0x000000000091B000-memory.dmp upx behavioral1/files/0x000500000001952a-108.dat upx behavioral1/files/0x000500000001952a-105.dat upx behavioral1/memory/2468-141-0x0000000000330000-0x000000000038E000-memory.dmp upx behavioral1/files/0x00050000000194fd-140.dat upx behavioral1/files/0x00050000000194fd-139.dat upx behavioral1/files/0x00050000000194fd-138.dat upx behavioral1/memory/2468-191-0x0000000000820000-0x000000000091B000-memory.dmp upx behavioral1/memory/2468-193-0x0000000000820000-0x000000000091B000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ezHelp\viewer\libcurl.dll ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\VideoEncodingLib.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\unins000.dat ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\libeay32.dll ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\NewWinFunc.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\chat.css ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg8.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg3.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg6.jpg ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\SocketIO.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-DMTFT.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-8BR34.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-JBCHT.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-T7M75.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg1.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\wave\alert_26.wav ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\EzhelpChatRes.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-N1B0P.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-NPCHG.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-934PJ.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\version.ini ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg7.jpg ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\RemoteUtil.exe ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\zlib1.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\chatapp.html ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\is-S5K4C.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\chat.html ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg9.jpg ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\ssleay32.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-OP79E.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg8.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg9.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\is-LKS9L.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-910MP.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-7ICL5.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-U79I6.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg4.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg5.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\is-198BO.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-QGDJO.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-JJSQC.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-T6QPD.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg2.jpg ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\RFLib.dll ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\SoundModule.exe ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\msvcp100.dll ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\ezHelpViewer.exe ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\portaudio_x86.dll ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\ezhelpChatAgent.exe ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg2.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg5.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\wave\alert_8.wav ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg4.jpg ezHelpManager.exe File opened for modification C:\Program Files (x86)\ezHelp\viewer\ezHelpDownloader.exe ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\MyUtil.dll ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-C3UG4.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-V88M3.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblebbg7.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\html\images\chat2_bubblegbg1.jpg ezHelpManager.exe File created C:\Program Files (x86)\ezHelp\viewer\is-J6R34.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\is-8DOSC.tmp ezhelpsetup.tmp File created C:\Program Files (x86)\ezHelp\viewer\unins000.msg ezhelpsetup.tmp File opened for modification C:\Program Files (x86)\ezHelp\viewer\msvcr100.dll ezhelpsetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main ezHelpManager.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ezHelpManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ezHelpManager.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ezHelpManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ezHelpManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ezHelpManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 ezHelpManager.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2652 ezhelpsetup.tmp 2652 ezhelpsetup.tmp 2468 ezHelpManager.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2652 ezhelpsetup.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2468 ezHelpManager.exe 2468 ezHelpManager.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 1636 wrote to memory of 2652 1636 ezhelpsetup.exe 28 PID 2652 wrote to memory of 688 2652 ezhelpsetup.tmp 29 PID 2652 wrote to memory of 688 2652 ezhelpsetup.tmp 29 PID 2652 wrote to memory of 688 2652 ezhelpsetup.tmp 29 PID 2652 wrote to memory of 688 2652 ezhelpsetup.tmp 29 PID 688 wrote to memory of 2468 688 ezHelpManager.exe 31 PID 688 wrote to memory of 2468 688 ezHelpManager.exe 31 PID 688 wrote to memory of 2468 688 ezHelpManager.exe 31 PID 688 wrote to memory of 2468 688 ezHelpManager.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe"C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-044JC.tmp\ezhelpsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-044JC.tmp\ezhelpsetup.tmp" /SL5="$70124,9752993,56832,C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe"C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe"C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe" elevation4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵PID:1204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5bf30eb19f5aad99d6e972228c1e5d341
SHA135df64365185a9c197b6e9a097090c1629a2610d
SHA256d829e437f1a7c0c69e6ab3cc95e36b9561cb5af5db34830728529571825b36b3
SHA512d164a9cef69e8a73427d91da06868983259461eb63aefc088e6d8003be1480e17adf9cd6dafad529c5c528d614cbd0a8cdee4caa1a767aa77543069d6bc01d2b
-
Filesize
329KB
MD52861966b349c12e7af5ad746ca6731ab
SHA1920c33c3360a3c4808c62cd2b4814935171af78a
SHA2561b87411395d45e8b075e1054c48264f21b044b216fb2fc65911d0673450cd7b8
SHA512b1a9dceb237b8ef3b0fa6ea21b862a5d50147c996d7b39af61b995685a72dfe1c6b9f9072bd0e45c726f435daead57edd5cac4acd284eefb1450bd25824ff820
-
Filesize
170KB
MD596ebac8441652f401b0a4eb56c2d54b5
SHA1b3b6344d763cc6bec01e19d4d58cdaaebd974d3d
SHA256cd9d08433f2f61da239b6c24a9c25772df4471dadcfce22137ce76a382802dca
SHA512f5ccecb290e031c6a17d58bdec1b28f2dbc13b5b8f891729edf021ce73b2d62d3f17012d2649249eb747dc9083545460c4be33437cf346e1a89e7974a9234f99
-
Filesize
268KB
MD53514b3945cc874a639f0382cefb092e7
SHA123d98039e0ab39e5a94b2858126380f7419c32ec
SHA256fdee00af078a5b67f9bdec5faf8021285b6ff39091ade435b73157fb51cc4a91
SHA51295b7e00d217e918e9ff3f83fb2431fb191c24033acecd70c7ac19084603c46023fd711a4b8a3c2f5d1453ee7b83d840cc60e07565c0ca64206a21088db9fc056
-
Filesize
641KB
MD52021be8c79cb888bc2e61a53119d2c2d
SHA13f1964fab771fb2a2c90c7d6a8abb4fee4ec2b7c
SHA256bee5878788be9455b3bba5763ddc5ccc32d11498df8cb1d4f6069a3bae4dee0a
SHA5121ed8ec505a70f2f1a23d120cdbbbb1c53cd17205a36545e7ebd00900f03da1245acb5b08a046348820781b0647d9e8ad40da3c9e36c1997a71a4cfc0a9b7edb4
-
Filesize
25B
MD53e17776260ca18f023e567a302f82a09
SHA134a0a01e264bd8ce6efb6b461433e0402c41022c
SHA2564270bbacebb2a1941449c3cafc1d592ea41fad4234de91f5a2218086360e1671
SHA5125039fe42e18d169e84365635306e3033da7e2e1f0adf8e06b1eb8fe79e25e87cf80794bcc98c05801770041671bf1f77f824eecd1a704a7a6f26647e874821b0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
184KB
MD5b64872d1dcf53dd6ce919cb860ecd06b
SHA17a58a05ec838a1bd728cdd6b35b4243b4a13bb4f
SHA256f89c21e654add84671dc64b32af7a80fa1eaf837606f08c4ae1b8b3c9fa26fc2
SHA512e1a50557b80a08221055b0da4fd7bdab673d1f3fc4055ae02821614fa72173a549a1af26a242fc2f621585e53d83e8906277d9e0a6b2e467d54fc91b004215d5
-
Filesize
167KB
MD557b6868ab981651ca0fc1e87405363db
SHA17f3e1a140309fcfca7117d0de438e85897f17103
SHA25670554f58a82c0d08d4b546007d91fb48795f5d4d7752d435940b10a4f7967c85
SHA512f967c15bb1b6ba82845066c86d4cde83aebc18d9be26351babe718ced39c5de458aeaa44228ad2773213cf95ef2a996df05435f2371642f0d9d545e8bb273af2
-
Filesize
307KB
MD5f8f75baf9d2dbcfdc457f6029c43a4fc
SHA198a0da5fb5e421673d802ed88ff49f55f92360b1
SHA256f634ea118014817e1e6ea6dddf57337f2502ce84bf23e4d46f7da4a39797ac21
SHA512775449e24a7dce73175b2bbf2476bb6e0b88d3566bbb16a03fa687eecc791219e8e879ecd601917c6414ab28aeecd32436a92ce6011418ceeb0a1f9939ca9a1a
-
Filesize
540KB
MD52c02c021b0355f426e9cb4c67c25551b
SHA14fa31b064cf34b79c00558d54b0a2f674a56364a
SHA256a3be47ef7363d2d347e821a36ccf1b65a12fbbb5bb5198b7fc7c8fcf728f4343
SHA51268b9ded6448ba00200bd687ab5ae1973907df047c8ada8dfa5a010964751e8cbefe27c02eaeaf6d431bd211dfbd61e696530a517cdfebec8d671f4ffa0c429a7
-
Filesize
421KB
MD5197d026c9f4d81f028f006708b611327
SHA15c322f8013f469435540331f20320b82f2373546
SHA25603e43433bc021e9aac8f7593b7332158185d65d108d07c6461c1c0165b415990
SHA512efe1946b3b55c83f50ce40b173f2800f7a7f0ccf50c5435229fe5d5f089e3a2f036b8ae45af8af0294cb2b0a4249ed67b981d8f855093beb490650139a687caf
-
Filesize
250KB
MD599833c16537d0fae109f34531fd7757c
SHA162b05a85ea89b599c302163c97669818e7ef26b9
SHA2562c4881699d918291ebb27e3afa03a6e42d5a3b9078cb200e0f4f2580ef315257
SHA512786537f96d6e55cad9db0bcfb4f4819811f4fc919219a8d4da3afbd504f347b7e66943ec9ca0df55fa17fa4ad16c6f81f850c273d3d9a21e9fe73474917852b1
-
Filesize
400KB
MD5d963f85d2760e05d9fd992271f8b53a4
SHA1640788f3594f4cc52316e7c6ac07ea496f80bd13
SHA256df3a5c45a45675755e923eed30c8ca2d079ed7c2c67ba49306b1ae1f1e4c2b06
SHA512e281e3981a4ee7a0db1bae64583c22f8ee6e3ba9079494cf60b0d0d60920b0bc03f413d1d35fe014c0924f5ca3b5c36add1935f4436e9bb4e438ead016d6c65a
-
Filesize
280KB
MD536090ba5f0a6e7a9a29c4dc4ff21da9a
SHA17461089e7f22be07419ba330e87fe167cf837a4c
SHA25606cbd4b8658b0397793109095a408da297da7e94d81f9024ca9038782b623155
SHA512092140815d4933acac1ce398e9cc57247d63719ac2b485e5b090fcca4b1468570da7bad6fc3700b8175590f86521d4b21a875f8c08e280c0e42dbbd547a7ac76
-
Filesize
698KB
MD50a6e91851751531a19c52547db3ddf20
SHA18e7341651d865542cca22012ce0fb102ff932a6b
SHA25694235d9138d0d15a34fc1b7bdb8ce24802030da2e94441983198038a57326490
SHA512bfed615ac4d5c7d7945d3989a02a2e3c3aff94f669a58923c6aa4bdc3238ed4e9eae3f53234a8340c12fcf771a174c5a57d3b2c29a034807bea1c34cc34c3c28
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3