Windows Analysis Report
invoice.exe

Overview

General Information

Sample Name: invoice.exe
Analysis ID: 828743
MD5: f111934675c34cca18d9d76fc34a2e40
SHA1: 6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256: c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
Tags: exesigned
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Found potential ransomware demand text
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops certificate files (DER)
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: invoice.exe ReversingLabs: Detection: 35%
Uses 32bit PE files
Source: invoice.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: invoice.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: f:\apps8.0.0.270\sw\src\coexagent\mini-agent\release\Ath_CoexAgent.pdb source: Ath_CoexAgent.exe.0.dr
Source: Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00406268 FindFirstFileA,FindClose, 0_2_00406268
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: invoice.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: invoice.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: invoice.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: invoice.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: invoice.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: invoice.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: invoice.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: invoice.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: NMDllHost.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-ExtraLight.otf.0.dr String found in binary or memory: http://scripts.sil.org/OFLSource
Source: invoice.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: invoice.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: invoice.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: NMDllHost.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://www.avast.com0/
Source: invoice.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: NMDllHost.exe.0.dr String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: NMDllHost.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004051CA
Drops certificate files (DER)
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Found potential ransomware demand text
Source: NMDllHost.exe.0.dr String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
Source: NMDllHost.exe.0.dr String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ6
Source: Mss32.dll.0.dr String found in binary or memory: _AIL_unlock@0

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: invoice.exe
Uses 32bit PE files
Source: invoice.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file does not import any functions
Source: lang-1059.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: invoice.exe, 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe
Source: invoice.exe Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031F1
Detected potential crypto function
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00406742 0_2_00406742
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00404A09 0_2_00404A09
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00406F19 0_2_00406F19
PE / OLE file has an invalid certificate
Source: invoice.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\invoice.exe Process Stats: CPU usage > 98%
Source: invoice.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\invoice.exe File read: C:\Users\user\Desktop\invoice.exe Jump to behavior
Source: invoice.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\invoice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031F1
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Temp\nsfE50D.tmp Jump to behavior
Source: classification engine Classification label: mal56.rans.winEXE@1/12@0/0
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar, 0_2_004020CB
Source: C:\Users\user\Desktop\invoice.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00404496 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404496
Source: invoice.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: f:\apps8.0.0.270\sw\src\coexagent\mini-agent\release\Ath_CoexAgent.pdb source: Ath_CoexAgent.exe.0.dr
Source: Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
PE file contains sections with non-standard names
Source: Mss32.dll.0.dr Static PE information: section name: MSSMIXER
Source: NMDllHost.exe.0.dr Static PE information: section name: .shared
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Drops PE files
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\AdvSplash.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\invoice.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_00406268 FindFirstFileA,FindClose, 0_2_00406268
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\invoice.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\invoice.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: vmusbmouse.cat.0.dr Binary or memory string: VMware, Inc.
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Source: C:\Users\user\Desktop\invoice.exe Code function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031F1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828743 Sample: invoice.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 56 16 Multi AV Scanner detection for submitted file 2->16 18 Found potential ransomware demand text 2->18 20 Initial sample is a PE file and has a suspicious name 2->20 5 invoice.exe 3 51 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\System.dll, PE32 5->8 dropped 10 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 5->10 dropped 12 C:\Users\user\AppData\Local\...12MDllHost.exe, PE32 5->12 dropped 14 3 other files (none is malicious) 5->14 dropped
No contacted IP infos