neshta | 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefce

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Size

2.3MB
MD5

0c4ba9be77bbe429131a5d6a356e2750
SHA1

153cd660880a3df02142ddfb5d7c5db88a8d76a3
SHA256

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefce
SHA512

e665794ce2cc57607223399f64cb9614036645dbd11a794727d54a634560d5d57b98dfb3a8b0e5f327be0d1095ad33422d7aaafed3232d5d737bbfed32c2d10b
SSDEEP

49152:rGxXUiczpDXlotRxtbs4WRccam/tgD86aP/bemwqGTTxynLCgvhmw:AepDXYDcaa6K9lG4zvt

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/952-120-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Executes dropped EXE 3 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid	process
2040	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
4840	WSHelper.exe

Loads dropped DLL 9 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid	process
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
4840	WSHelper.exe
4840	WSHelper.exe
4840	WSHelper.exe
4840	WSHelper.exe
4840	WSHelper.exe
4840	WSHelper.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wondershare Helper Compact.exe = "C:\\Program Files (x86)\\Common Files\\Wondershare\\Wondershare Helper Compact\\WSHelper.exe"	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-I3N9T.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-K63BM.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\unins000.dat	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-50A9C.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe_temp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\is-E25MS.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-MEETU.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-SLGG5.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-QLGEV.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-U5LTT.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-D8G80.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-DJ9Q3.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-8SMGC.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-3B0AQ.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-PSHCS.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-C1K4G.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\unins000.dat	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-LHRUO.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-90EI2.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-BO06P.tmp	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Drops file in Windows directory 1 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSHelper.exe

Modifies registry class 64 IoCs

Processes:

WSHelper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}\1.1\FLAGS\ = "0"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}\ = "IPayPerView"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\ = "IUploadVideoFile"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\TypeLib	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WSCustomerServicePlatform.CustomerService\Clsid	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\ = "IProductUpgrade"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\TypeLib	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\WONDER~1\\WONDER~1\\WSHelper.exe"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D85C6069-D628-4276-93C3-9A94E5338D8B}\1.1\FLAGS	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\ = "ISilentInstallProduct"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\ = "IExceptionLog"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B76550E2-048B-4D8C-B432-4668A54EDEA3}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\TypeLib\Version = "1.1"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ = "ICustomerService"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ = "ICustomerService"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E5E91D68-955D-4DE1-AB8E-89B26DF6A331}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}\ProxyStubClsid32	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WSCustomerServicePlatform.CustomerService\Clsid\ = "{6E993643-8FBC-44FE-BC85-D318495C4D96}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46884330-13BA-4AC9-BEDC-3A2E955EB8DA}\TypeLib	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\TypeLib\Version = "1.1"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70AC1FC1-A22B-4327-9A54-754B9301A056}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ = "IAuthorized"	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374}\TypeLib	WSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}	WSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}"	WSHelper.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

pid	process
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmpWSHelper.exe

pid process

2412 1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
4840 WSHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WSHelper.exe

pid process

4840 WSHelper.exe

pid	process
4840	WSHelper.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

description	pid	process	target process
PID 952 wrote to memory of 2040	952	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 952 wrote to memory of 2040	952	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 952 wrote to memory of 2040	952	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
PID 2040 wrote to memory of 2412	2040	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2040 wrote to memory of 2412	2040	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2040 wrote to memory of 2412	2040	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
PID 2412 wrote to memory of 4840	2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe
PID 2412 wrote to memory of 4840	2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe
PID 2412 wrote to memory of 4840	2412	1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp	WSHelper.exe

C:\Users\Admin\AppData\Local\Temp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
"C:\Users\Admin\AppData\Local\Temp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\is-UCKRJ.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UCKRJ.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp" /SL5="$110064,2102590,54272,C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
      "C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll

Filesize
134KB

MD5
30ebdc01d3ab9fb3772445cb4a9ebbba

SHA1
f0eee5c8a4f416673ee5a0698075c124aefc5d14

SHA256
0ea512eac7298ed72e8d47da4db8d73557599cd2411f69657cc374cd0704e8e8

SHA512
4be686006d169dcd1f18dd85b0cbf0c13e1e6cfe6ec60f9cea32ba1afae811c0dd232de2d569de164a7c5a1108960551b04c28600f8959a51fc0bded78ca3fa9

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSProducstInfo.dll

Filesize
691KB

MD5
077b7b7d93b66231bb197411da57f23b

SHA1
24a67aa115793644fcefab2e58afeb07d3899e75

SHA256
899d4f9a675d9b3f165b56ae46f3593224c17bfd5b0d739057db45a51d2c37b8

SHA512
25dfd43150b650498f4aa59623ef0820d6a8f31f94797eb52864d95c35758d1d1b5bdf73dc3c0f6046dc89ffb2376fb16604d908ea5d154449a420256209d91f

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll

Filesize
1.4MB

MD5
ead517fe26df369aa13cf9aa620b935e

SHA1
0797d65e0e90f9f2c9e6ae4a673261389aa8b2e5

SHA256
e57e457c56447640011298bf85d589964eacdfe8125b36d6ad0f12d2ec053efd

SHA512
61f3cda3fc26da9b6a98c1912c3df9fce056a7cd553ca365f6992d8ee91c4be18dc50d84f2c42c498326b76f36eb7ac406d0e566b30ba1b4e3f14004e9373cbe

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Languages\English.dat

Filesize
6KB

MD5
f49b3dc0407d545259d7518171970c52

SHA1
9246cda22f90d743128250ccbdbcf06929c55d4b

SHA256
516482b3719d639bde4e134b09e227b51610d307ea9b53c425d70bc705043934

SHA512
809867a7ce7d4c784de7f51f3cbd61fbd5ac724c0745a327d51887d5140f26de2815b04beea4a76ab73057752ee443b865bee0d594a81d3d8227285bf1d28c65

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\Controls.xml

Filesize
19KB

MD5
866d49dff47c4e8515dc3a41fffe7193

SHA1
2a5addbe9f28240ef1f61e0456677ef7afd69200

SHA256
1eabf97b581fd4fbc9dd3b4c7083ed2402c658275f8b979955b68c60c1349915

SHA512
4a5c89d3ac35c2d8ec91ed1cce49da835d3237e867380e72d3a8c1e2d982e8ea74907ec39f52ce4612c622d5800483796fd4a1a5feaf5619a5aedf7f87fee647

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\TipFrm.xml

Filesize
2KB

MD5
83de817d78fc22e8b4a1101ebcd0e843

SHA1
b82430f42e88cc6667143bb4070460ab0ac33d12

SHA256
77559f48dcb675616b1db040c0b7849f6c7a793332c4d4052010f97c448fe150

SHA512
856e8d05f6962e5cfe2af94e46af3fbe2275092f9a23e83f348d4d6e8272732197b4eb670fbb36edbc28ac1324a98299b488184587afd3b8d41dc0be774694db

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

Filesize
2.0MB

MD5
fe84f125c65b81039acc9ea54b887ea8

SHA1
8d68d1fdd365f9fa40ef25d0ab1ead4361c7f9be

SHA256
546dbcc7a073099096a027efba2598b8242476a0ee20d7026ddee2251b0edf57

SHA512
188f81c6fe7d8839cf9b35e38512cec7ef63c1cf6a630ca5ed836023e2c1fc333a9f5dbd2446d9fa4d72f1044edbae981358062eec1951badf9626c8c7f518d8

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

Filesize
4KB

MD5
4dc3a90d50540a4e14be647a1ec47b39

SHA1
0656796fc081c3f9ac0bdb416a79d2770d728506

SHA256
7361abe78844978f70b46e6ace2138ded3c03805cc52469a4772f0d3f3bf20f6

SHA512
f4c007a689cc0fe3005e064ffe0412a99b4eb4d2e415f6c5f977c6f68fecd0b188ef89e04dd28d75dcbcde93e3b2414fdf1ad5884c07d18099ace968b45144ed

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.ini

Filesize
4KB

MD5
abf080411fe1733854f62a62c4f78288

SHA1
6f1cfd590b9801787bc99083ac5d174c0b05be73

SHA256
d3b9dba7ef310fca7785c5d9dc341e9a4bd43daf739c67b6ef1f7c6a248f52ea

SHA512
bb5d240559d44b4d05669f16dafd2055589df7ebabf6424fbc61c88c811be2c7693dc62be4c1d910b2e7ae9b073cf088ccb28e05e92cbd3bd4e48f556ed89b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.exe

Filesize
2.3MB

MD5
88ad838f6e60572fd5a97178e8c2cf7f

SHA1
2e9c472ca2d618e1ec028100efb51225e1f81e0a

SHA256
79827a18a6a7902e8644f6d997ee38e8965a4c954ad03dc0cd25d0f3c7a4b2ff

SHA512
3d46862b798b357ec75a641c39d387af7f819c528d828eec791e108b2eb12b6e831d07d66ce9a16895392c0b4e8f6a24edfaa9d8dd842b95183fcc166961cb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQDI1.tmp\KPByName.dll

Filesize
35KB

MD5
4ef13e267ebbf804dd4157b447aa7059

SHA1
b9507c5b02bbae456ae5de7132ebafd27206b944

SHA256
2476d897a6d20653578fcb98737c85ccd96a42e57f67843ffbc431c0d05909a7

SHA512
81df3f309b6a734fae2e824a4535d9a7251d94885593c7c37ee70853f7c721062023d0d22ba1c92845c6fd14356048478b83c132aa9cec9360690a65b74bf360

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQDI1.tmp\TempkillProcess.dll

Filesize
48KB

MD5
2d8ef1f86c38696abef55d64942a2c4a

SHA1
f6710bdda76a1cdb2669f49796f6c3161a895973

SHA256
e6be04c390cee6b4955c8af0c78221fdea3907ca5d0fb5f4f256fe7b05e8a332

SHA512
f668c37d9f722ce8217b87fe6cf2183ecc16451a1402a9d8d143ceac914e7b0056cf8d6aca8f81889cb954c85f12af304efe6d5d9121d4287e47aec2b6732da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQDI1.tmp\WSHelper.ini

Filesize
4KB

MD5
be3c845d1db01761664699f870e78315

SHA1
08ddbd37f2c1ccf4acdca6906d915a829fd2a8f8

SHA256
0c0fd5929f7d258aac1ae23adfd23a4f4d6f37468003ee794465132336d24b21

SHA512
eb824ff125d782096079e564349c331ba9a515f60fc29afcf588d0d26be12032ab554c22b3f270adc1d95872ca092269c7bfbab7fc39bb90dca6c98ca1b9a6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCKRJ.tmp\1d54638b06eebb81519271ea5db4727ee958dbb1f3c409fd632a01eae3aaefceN.tmp

Filesize
696KB

MD5
8aa8c628f7b7b7f3e96eff00557bd0bf

SHA1
9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

SHA256
14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

SHA512
5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

Download Submit
memory/952-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-14-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2040-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-243-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2412-29-0x0000000003A70000-0x0000000003A84000-memory.dmp

Filesize
80KB

Download
memory/2412-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2412-123-0x0000000003A70000-0x0000000003A84000-memory.dmp

Filesize
80KB

Download
memory/2412-122-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2412-242-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2412-134-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4840-217-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/4840-225-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/4840-224-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download