neshta | 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefce

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Size

2.3MB
MD5

0c4ba9be77bbe429131a5d6a356e2750
SHA1

153cd660880a3df02142ddfb5d7c5db88a8d76a3
SHA256

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefce
SHA512

e665794ce2cc57607223399f64cb9614036645dbd11a794727d54a634560d5d57b98dfb3a8b0e5f327be0d1095ad33422d7aaafed3232d5d737bbfed32c2d10b
SSDEEP

49152:rGxXUiczpDXlotRxtbs4WRccam/tgD86aP/bemwqGTTxynLCgvhmw:AepDXYDcaa6K9lG4zvt

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/1560-108-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1560-114-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 3 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid	process
2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2204	WSHelper.exe

Loads dropped DLL 11 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid	process
1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2204	WSHelper.exe
2204	WSHelper.exe
2204	WSHelper.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wondershare Helper Compact.exe = "C:\\Program Files (x86)\\Common Files\\Wondershare\\Wondershare Helper Compact\\WSHelper.exe"	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-R0Q32.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-RTAD2.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-C3LT1.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\is-O76KC.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-5JLOE.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-R7GON.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-784UV.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-2OD7N.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-N8JQV.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-P6BOO.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Wondershare Helper Compact.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-CAEO5.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-JO07R.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe_temp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-62F97.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-KHJSA.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\unins000.dat	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-HU64F.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-0B5D0.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Languages\is-L0880.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\is-HGDVJ.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-SJOUG.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-ATNPO.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-AF2A3.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-MUC92.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Drops file in Windows directory 1 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WSHelper.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Modifies registry class 64 IoCs

Processes:

WSHelper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\ = "IUploadLog"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\ = "ISilentInstallProduct"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\ = "INewCheckUpdate"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}\1.1\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Wondershare\\Wondershare Helper Compact\\WSHelper.exe"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}\ = "IRegister"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1CF333F0-7FDC-4160-AAA1-6C9A98D05D70}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\ProgID\ = "WSCustomerServicePlatform.CustomerService"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}\1.1\FLAGS\ = "0"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\ = "IEventSink"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\ = "IContactCustomService"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\Version	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\ = "IUploadLog"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}\ = "IDataGather"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\ = "IExceptionLog"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\ = "IUserExpData"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}\ = "IPayPerView"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

pid	process
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid process

2772 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2204 WSHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WSHelper.exe

pid process

2204 WSHelper.exe

pid	process
2204	WSHelper.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
"C:\Users\Admin\AppData\Local\Temp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\is-7RQ5N.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7RQ5N.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp" /SL5="$500EE,2102590,54272,C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
      "C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll

Filesize
134KB

MD5
30ebdc01d3ab9fb3772445cb4a9ebbba

SHA1
f0eee5c8a4f416673ee5a0698075c124aefc5d14

SHA256
0ea512eac7298ed72e8d47da4db8d73557599cd2411f69657cc374cd0704e8e8

SHA512
4be686006d169dcd1f18dd85b0cbf0c13e1e6cfe6ec60f9cea32ba1afae811c0dd232de2d569de164a7c5a1108960551b04c28600f8959a51fc0bded78ca3fa9

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSProducstInfo.dll

Filesize
691KB

MD5
077b7b7d93b66231bb197411da57f23b

SHA1
24a67aa115793644fcefab2e58afeb07d3899e75

SHA256
899d4f9a675d9b3f165b56ae46f3593224c17bfd5b0d739057db45a51d2c37b8

SHA512
25dfd43150b650498f4aa59623ef0820d6a8f31f94797eb52864d95c35758d1d1b5bdf73dc3c0f6046dc89ffb2376fb16604d908ea5d154449a420256209d91f

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll

Filesize
1.4MB

MD5
ead517fe26df369aa13cf9aa620b935e

SHA1
0797d65e0e90f9f2c9e6ae4a673261389aa8b2e5

SHA256
e57e457c56447640011298bf85d589964eacdfe8125b36d6ad0f12d2ec053efd

SHA512
61f3cda3fc26da9b6a98c1912c3df9fce056a7cd553ca365f6992d8ee91c4be18dc50d84f2c42c498326b76f36eb7ac406d0e566b30ba1b4e3f14004e9373cbe

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Languages\English.dat

Filesize
6KB

MD5
f49b3dc0407d545259d7518171970c52

SHA1
9246cda22f90d743128250ccbdbcf06929c55d4b

SHA256
516482b3719d639bde4e134b09e227b51610d307ea9b53c425d70bc705043934

SHA512
809867a7ce7d4c784de7f51f3cbd61fbd5ac724c0745a327d51887d5140f26de2815b04beea4a76ab73057752ee443b865bee0d594a81d3d8227285bf1d28c65

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\Controls.xml

Filesize
19KB

MD5
866d49dff47c4e8515dc3a41fffe7193

SHA1
2a5addbe9f28240ef1f61e0456677ef7afd69200

SHA256
1eabf97b581fd4fbc9dd3b4c7083ed2402c658275f8b979955b68c60c1349915

SHA512
4a5c89d3ac35c2d8ec91ed1cce49da835d3237e867380e72d3a8c1e2d982e8ea74907ec39f52ce4612c622d5800483796fd4a1a5feaf5619a5aedf7f87fee647

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\TipFrm.xml

Filesize
2KB

MD5
83de817d78fc22e8b4a1101ebcd0e843

SHA1
b82430f42e88cc6667143bb4070460ab0ac33d12

SHA256
77559f48dcb675616b1db040c0b7849f6c7a793332c4d4052010f97c448fe150

SHA512
856e8d05f6962e5cfe2af94e46af3fbe2275092f9a23e83f348d4d6e8272732197b4eb670fbb36edbc28ac1324a98299b488184587afd3b8d41dc0be774694db

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

Filesize
4KB

MD5
4dc3a90d50540a4e14be647a1ec47b39

SHA1
0656796fc081c3f9ac0bdb416a79d2770d728506

SHA256
7361abe78844978f70b46e6ace2138ded3c03805cc52469a4772f0d3f3bf20f6

SHA512
f4c007a689cc0fe3005e064ffe0412a99b4eb4d2e415f6c5f977c6f68fecd0b188ef89e04dd28d75dcbcde93e3b2414fdf1ad5884c07d18099ace968b45144ed

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

Filesize
4KB

MD5
f028d2503ef8facfa41ca14cb046c4bb

SHA1
720431d0269a0878c5c9a11d455d6ad7f3660c45

SHA256
7e5ba5a09d31b29643b5634521a2f305ef1b2023f7caa619ed71bccb8f14aedf

SHA512
440aeb9af40ea079e8a47232b49ff20afa7e77023ea9973a5d65e7d32ade15e420202ccaee6a4bd57ab878a178585f10dbc3e0e0cf9d4b314473c71c571acd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H36G3.tmp\WSHelper.ini

Filesize
4KB

MD5
be3c845d1db01761664699f870e78315

SHA1
08ddbd37f2c1ccf4acdca6906d915a829fd2a8f8

SHA256
0c0fd5929f7d258aac1ae23adfd23a4f4d6f37468003ee794465132336d24b21

SHA512
eb824ff125d782096079e564349c331ba9a515f60fc29afcf588d0d26be12032ab554c22b3f270adc1d95872ca092269c7bfbab7fc39bb90dca6c98ca1b9a6f5

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

Filesize
2.0MB

MD5
fe84f125c65b81039acc9ea54b887ea8

SHA1
8d68d1fdd365f9fa40ef25d0ab1ead4361c7f9be

SHA256
546dbcc7a073099096a027efba2598b8242476a0ee20d7026ddee2251b0edf57

SHA512
188f81c6fe7d8839cf9b35e38512cec7ef63c1cf6a630ca5ed836023e2c1fc333a9f5dbd2446d9fa4d72f1044edbae981358062eec1951badf9626c8c7f518d8

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Filesize
2.3MB

MD5
88ad838f6e60572fd5a97178e8c2cf7f

SHA1
2e9c472ca2d618e1ec028100efb51225e1f81e0a

SHA256
79827a18a6a7902e8644f6d997ee38e8965a4c954ad03dc0cd25d0f3c7a4b2ff

SHA512
3d46862b798b357ec75a641c39d387af7f819c528d828eec791e108b2eb12b6e831d07d66ce9a16895392c0b4e8f6a24edfaa9d8dd842b95183fcc166961cb09

Download Submit
\Users\Admin\AppData\Local\Temp\is-7RQ5N.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Filesize
696KB

MD5
8aa8c628f7b7b7f3e96eff00557bd0bf

SHA1
9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

SHA256
14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

SHA512
5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

Download Submit
\Users\Admin\AppData\Local\Temp\is-H36G3.tmp\KPByName.dll

Filesize
35KB

MD5
4ef13e267ebbf804dd4157b447aa7059

SHA1
b9507c5b02bbae456ae5de7132ebafd27206b944

SHA256
2476d897a6d20653578fcb98737c85ccd96a42e57f67843ffbc431c0d05909a7

SHA512
81df3f309b6a734fae2e824a4535d9a7251d94885593c7c37ee70853f7c721062023d0d22ba1c92845c6fd14356048478b83c132aa9cec9360690a65b74bf360

Download Submit
\Users\Admin\AppData\Local\Temp\is-H36G3.tmp\TempkillProcess.dll

Filesize
48KB

MD5
2d8ef1f86c38696abef55d64942a2c4a

SHA1
f6710bdda76a1cdb2669f49796f6c3161a895973

SHA256
e6be04c390cee6b4955c8af0c78221fdea3907ca5d0fb5f4f256fe7b05e8a332

SHA512
f668c37d9f722ce8217b87fe6cf2183ecc16451a1402a9d8d143ceac914e7b0056cf8d6aca8f81889cb954c85f12af304efe6d5d9121d4287e47aec2b6732da7

Download Submit
\Users\Admin\AppData\Local\Temp\is-H36G3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1560-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1560-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-212-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2204-211-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2204-203-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2296-109-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-229-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-15-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2772-30-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2772-112-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2772-111-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2772-228-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2772-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

description	pid	process	target process
PID 1560 wrote to memory of 2296	1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 1560 wrote to memory of 2296	1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 1560 wrote to memory of 2296	1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 1560 wrote to memory of 2296	1560	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2296 wrote to memory of 2772	2296	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2772 wrote to memory of 2204	2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe
PID 2772 wrote to memory of 2204	2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe
PID 2772 wrote to memory of 2204	2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe
PID 2772 wrote to memory of 2204	2772	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe