neshta | a35068cb5ee30a810f9e3afe469321efa9742c1e1038980919246c8f7f75afaf

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
Size

129KB
MD5

b7de84462688cd19db902ace0479afb0
SHA1

fd5f86b8c83093248f6e4c565f091f98573dbf3d
SHA256

a35068cb5ee30a810f9e3afe469321efa9742c1e1038980919246c8f7f75afaf
SHA512

53b79f13aa8b9905ed6722f9d280cf4ae68487f5a0ed8f18c63001f88d7b541bc6a9a000d009662d126f8052c83aa1297608b16aeeb49095193677e6558ee5f9
SSDEEP

1536:JxqjQ+P04wsmJCLozkN7ciD+3faCKM5RdJ5R3sozkt5RA3B65MOxqjQ+P04wsmJ+:sr85CLzo7N7k/IB0ur85CL

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/3292-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4724-26-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/432-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4404-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5012-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1500-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4624-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4172-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3312-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3724-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/644-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3380-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2436-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4816-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
behavioral2/memory/1360-122-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
behavioral2/memory/840-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\NOTIFI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\MSEDGE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\COOKIE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\BHO\IE_TO_~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	family_neshta
behavioral2/memory/1056-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1248-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	family_neshta
behavioral2/memory/808-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
behavioral2/memory/2360-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1512-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1664-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3312-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/212-263-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1628-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1136-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3840-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4832-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4772-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3716-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1360-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1884-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1196-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4384-304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3100-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2412-312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEb7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	B7DE84~1.EXE

Executes dropped EXE 64 IoCs

Processes:

b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exesvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.com

pid	process
624	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
3292	svchost.com
4724	B7DE84~1.EXE
432	svchost.com
4404	B7DE84~1.EXE
5012	svchost.com
1500	B7DE84~1.EXE
4624	svchost.com
4172	B7DE84~1.EXE
3312	svchost.com
3724	B7DE84~1.EXE
644	svchost.com
3380	B7DE84~1.EXE
2436	svchost.com
4816	B7DE84~1.EXE
1360	svchost.com
840	B7DE84~1.EXE
1056	svchost.com
1248	B7DE84~1.EXE
808	svchost.com
2360	B7DE84~1.EXE
1512	svchost.com
1664	B7DE84~1.EXE
3312	svchost.com
212	B7DE84~1.EXE
1628	svchost.com
1136	B7DE84~1.EXE
3840	svchost.com
4832	B7DE84~1.EXE
2576	svchost.com
4772	B7DE84~1.EXE
3716	svchost.com
1360	B7DE84~1.EXE
1884	svchost.com
1196	B7DE84~1.EXE
4384	svchost.com
3100	B7DE84~1.EXE
2412	svchost.com
4020	B7DE84~1.EXE
3764	svchost.com
1972	B7DE84~1.EXE
4584	svchost.com
3940	B7DE84~1.EXE
3500	svchost.com
1392	B7DE84~1.EXE
452	svchost.com
4828	B7DE84~1.EXE
3320	svchost.com
212	B7DE84~1.EXE
1904	svchost.com
3380	B7DE84~1.EXE
436	svchost.com
2428	B7DE84~1.EXE
4376	svchost.com
1608	B7DE84~1.EXE
2572	svchost.com
2292	B7DE84~1.EXE
4900	svchost.com
4320	B7DE84~1.EXE
2112	svchost.com
3924	B7DE84~1.EXE
1688	svchost.com
4720	B7DE84~1.EXE
2720	svchost.com

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeB7DE84~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	B7DE84~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeb7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeB7DE84~1.EXE

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_helper.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	B7DE84~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	B7DE84~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_helper.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	B7DE84~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	B7DE84~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\pwahelper.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	B7DE84~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_pwa_launcher.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	B7DE84~1.EXE

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comB7DE84~1.EXEsvchost.comsvchost.comsvchost.comB7DE84~1.EXEB7DE84~1.EXEsvchost.comsvchost.comB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comsvchost.comB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEsvchost.comsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEB7DE84~1.EXEsvchost.comsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\svchost.com	B7DE84~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

B7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEb7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXEB7DE84~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	B7DE84~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exeb7de84462688cd19db902ace0479afb0_NeikiAnalytics.exesvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXEsvchost.comB7DE84~1.EXE

description	pid	process	target process
PID 5068 wrote to memory of 624	5068	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
PID 5068 wrote to memory of 624	5068	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
PID 5068 wrote to memory of 624	5068	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
PID 624 wrote to memory of 3292	624	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	svchost.com
PID 624 wrote to memory of 3292	624	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	svchost.com
PID 624 wrote to memory of 3292	624	b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe	svchost.com
PID 3292 wrote to memory of 4724	3292	svchost.com	B7DE84~1.EXE
PID 3292 wrote to memory of 4724	3292	svchost.com	B7DE84~1.EXE
PID 3292 wrote to memory of 4724	3292	svchost.com	B7DE84~1.EXE
PID 4724 wrote to memory of 432	4724	B7DE84~1.EXE	svchost.com
PID 4724 wrote to memory of 432	4724	B7DE84~1.EXE	svchost.com
PID 4724 wrote to memory of 432	4724	B7DE84~1.EXE	svchost.com
PID 432 wrote to memory of 4404	432	svchost.com	B7DE84~1.EXE
PID 432 wrote to memory of 4404	432	svchost.com	B7DE84~1.EXE
PID 432 wrote to memory of 4404	432	svchost.com	B7DE84~1.EXE
PID 4404 wrote to memory of 5012	4404	B7DE84~1.EXE	svchost.com
PID 4404 wrote to memory of 5012	4404	B7DE84~1.EXE	svchost.com
PID 4404 wrote to memory of 5012	4404	B7DE84~1.EXE	svchost.com
PID 5012 wrote to memory of 1500	5012	svchost.com	B7DE84~1.EXE
PID 5012 wrote to memory of 1500	5012	svchost.com	B7DE84~1.EXE
PID 5012 wrote to memory of 1500	5012	svchost.com	B7DE84~1.EXE
PID 1500 wrote to memory of 4624	1500	B7DE84~1.EXE	B7DE84~1.EXE
PID 1500 wrote to memory of 4624	1500	B7DE84~1.EXE	B7DE84~1.EXE
PID 1500 wrote to memory of 4624	1500	B7DE84~1.EXE	B7DE84~1.EXE
PID 4624 wrote to memory of 4172	4624	svchost.com	B7DE84~1.EXE
PID 4624 wrote to memory of 4172	4624	svchost.com	B7DE84~1.EXE
PID 4624 wrote to memory of 4172	4624	svchost.com	B7DE84~1.EXE
PID 4172 wrote to memory of 3312	4172	B7DE84~1.EXE	svchost.com
PID 4172 wrote to memory of 3312	4172	B7DE84~1.EXE	svchost.com
PID 4172 wrote to memory of 3312	4172	B7DE84~1.EXE	svchost.com
PID 3312 wrote to memory of 3724	3312	svchost.com	B7DE84~1.EXE
PID 3312 wrote to memory of 3724	3312	svchost.com	B7DE84~1.EXE
PID 3312 wrote to memory of 3724	3312	svchost.com	B7DE84~1.EXE
PID 3724 wrote to memory of 644	3724	B7DE84~1.EXE	B7DE84~1.EXE
PID 3724 wrote to memory of 644	3724	B7DE84~1.EXE	B7DE84~1.EXE
PID 3724 wrote to memory of 644	3724	B7DE84~1.EXE	B7DE84~1.EXE
PID 644 wrote to memory of 3380	644	svchost.com	B7DE84~1.EXE
PID 644 wrote to memory of 3380	644	svchost.com	B7DE84~1.EXE
PID 644 wrote to memory of 3380	644	svchost.com	B7DE84~1.EXE
PID 3380 wrote to memory of 2436	3380	B7DE84~1.EXE	Conhost.exe
PID 3380 wrote to memory of 2436	3380	B7DE84~1.EXE	Conhost.exe
PID 3380 wrote to memory of 2436	3380	B7DE84~1.EXE	Conhost.exe
PID 2436 wrote to memory of 4816	2436	svchost.com	B7DE84~1.EXE
PID 2436 wrote to memory of 4816	2436	svchost.com	B7DE84~1.EXE
PID 2436 wrote to memory of 4816	2436	svchost.com	B7DE84~1.EXE
PID 4816 wrote to memory of 1360	4816	B7DE84~1.EXE	svchost.com
PID 4816 wrote to memory of 1360	4816	B7DE84~1.EXE	svchost.com
PID 4816 wrote to memory of 1360	4816	B7DE84~1.EXE	svchost.com
PID 1360 wrote to memory of 840	1360	svchost.com	B7DE84~1.EXE
PID 1360 wrote to memory of 840	1360	svchost.com	B7DE84~1.EXE
PID 1360 wrote to memory of 840	1360	svchost.com	B7DE84~1.EXE
PID 840 wrote to memory of 1056	840	B7DE84~1.EXE	svchost.com
PID 840 wrote to memory of 1056	840	B7DE84~1.EXE	svchost.com
PID 840 wrote to memory of 1056	840	B7DE84~1.EXE	svchost.com
PID 1056 wrote to memory of 1248	1056	svchost.com	B7DE84~1.EXE
PID 1056 wrote to memory of 1248	1056	svchost.com	B7DE84~1.EXE
PID 1056 wrote to memory of 1248	1056	svchost.com	B7DE84~1.EXE
PID 1248 wrote to memory of 808	1248	B7DE84~1.EXE	svchost.com
PID 1248 wrote to memory of 808	1248	B7DE84~1.EXE	svchost.com
PID 1248 wrote to memory of 808	1248	B7DE84~1.EXE	svchost.com
PID 808 wrote to memory of 2360	808	svchost.com	svchost.com
PID 808 wrote to memory of 2360	808	svchost.com	svchost.com
PID 808 wrote to memory of 2360	808	svchost.com	svchost.com
PID 2360 wrote to memory of 1512	2360	B7DE84~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
25⤵
- Executes dropped EXE
PID:3312

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
26⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
27⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
28⤵
- Executes dropped EXE
- Modifies registry class
PID:1136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
29⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
31⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
33⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
34⤵
- Checks computer location settings
- Executes dropped EXE
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
35⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
36⤵
- Executes dropped EXE
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
37⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
38⤵
- Executes dropped EXE
PID:3100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
39⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
40⤵
- Executes dropped EXE
PID:4020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
41⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3764

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
42⤵
- Executes dropped EXE
- Modifies registry class
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
43⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
44⤵
- Executes dropped EXE
- Modifies registry class
PID:3940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
45⤵
- Executes dropped EXE
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
46⤵
- Executes dropped EXE
PID:1392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
47⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
48⤵
- Checks computer location settings
- Executes dropped EXE
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
49⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
50⤵
- Executes dropped EXE
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
51⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
52⤵
- Executes dropped EXE
PID:3380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
53⤵
- Executes dropped EXE
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4376

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
57⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
58⤵
- Executes dropped EXE
PID:2292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
59⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
61⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
62⤵
- Executes dropped EXE
PID:3924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
63⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
64⤵
- Executes dropped EXE
PID:4720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
65⤵
- Executes dropped EXE
PID:2720

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
66⤵
- Drops file in Windows directory
- Modifies registry class
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
67⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
68⤵
PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
69⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
70⤵
- Modifies registry class
PID:1392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
71⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
72⤵
- Checks computer location settings
PID:4420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
73⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
74⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
75⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
76⤵
- Checks computer location settings
PID:3840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
77⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
78⤵
- Modifies registry class
PID:1160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
79⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
80⤵
- Checks computer location settings
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
81⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
82⤵
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
83⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
84⤵
PID:3036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
85⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
86⤵
- Modifies registry class
PID:3960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
87⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
88⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
89⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
90⤵
- Drops file in Windows directory
PID:2720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
91⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
92⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
93⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
94⤵
- Modifies registry class
PID:2152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
95⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
96⤵
- Modifies registry class
PID:2064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
97⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
98⤵
PID:644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
99⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
100⤵
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
101⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
102⤵
PID:4148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
103⤵
- Drops file in Windows directory
PID:4696

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
104⤵
- Modifies registry class
PID:5040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
105⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
106⤵
PID:3788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
107⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
108⤵
- Drops file in Windows directory
PID:452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
109⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
110⤵
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
111⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
112⤵
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
113⤵
- Drops file in Windows directory
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
114⤵
PID:4720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
115⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
116⤵
- Checks computer location settings
PID:2720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
117⤵
- Drops file in Windows directory
PID:3976

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
118⤵
- Modifies registry class
PID:2068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
119⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
120⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
121⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
122⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
123⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
124⤵
- Checks computer location settings
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
125⤵
- Drops file in Windows directory
PID:4644

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
126⤵
- Modifies registry class
PID:3700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
127⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
128⤵
PID:1884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
129⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
130⤵
- Checks computer location settings
PID:4700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
131⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
132⤵
- Checks computer location settings
PID:4540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
133⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
134⤵
PID:4020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
135⤵
- Drops file in Windows directory
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
136⤵
- Drops file in Windows directory
PID:4564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
137⤵
- Drops file in Windows directory
PID:5080

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
138⤵
- Modifies registry class
PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
139⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
140⤵
- Checks computer location settings
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
141⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
142⤵
PID:3496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
143⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
144⤵
- Checks computer location settings
- Modifies registry class
PID:3380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
145⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
146⤵
- Drops file in Windows directory
PID:3716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
147⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
148⤵
- Checks computer location settings
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
149⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
150⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
151⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
152⤵
- Drops file in Windows directory
- Modifies registry class
PID:3772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
153⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
154⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
PID:2920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
155⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
156⤵
- Checks computer location settings
- Modifies registry class
PID:2044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
157⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
158⤵
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
159⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
160⤵
- Modifies registry class
PID:2704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
161⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
162⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
163⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
164⤵
- Drops file in Windows directory
- Modifies registry class
PID:3032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
165⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
166⤵
- Drops file in Windows directory
PID:1884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
167⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
168⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
169⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
170⤵
- Checks computer location settings
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
171⤵
- Drops file in Windows directory
PID:4160

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
172⤵
PID:3100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
173⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
174⤵
- Checks computer location settings
- Modifies registry class
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
175⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
176⤵
- Modifies registry class
PID:2068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
177⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
178⤵
- Checks computer location settings
- Modifies registry class
PID:4080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
179⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
180⤵
PID:3676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
181⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
182⤵
PID:4644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
183⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
184⤵
PID:4600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
185⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
186⤵
PID:4028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
187⤵
- Drops file in Windows directory
PID:4816

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
188⤵
- Checks computer location settings
PID:4304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
189⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
190⤵
- Checks computer location settings
- Modifies registry class
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
191⤵
- Drops file in Windows directory
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
192⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
193⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
194⤵
- Checks computer location settings
PID:2564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
195⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
196⤵
- Checks computer location settings
PID:3772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
197⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
198⤵
PID:1180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
199⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
200⤵
- Checks computer location settings
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
201⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
202⤵
- Checks computer location settings
- Modifies registry class
PID:3496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
203⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
204⤵
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
205⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
206⤵
- Modifies registry class
PID:840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
207⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
208⤵
PID:452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
209⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
210⤵
PID:2556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
211⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
212⤵
- Drops file in Windows directory
- Modifies registry class
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
213⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
214⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
215⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
216⤵
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
217⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
218⤵
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
219⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
220⤵
PID:2044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
221⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
222⤵
PID:4080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
223⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
224⤵
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
225⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
226⤵
- Modifies registry class
PID:3380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
227⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
228⤵
- Checks computer location settings
PID:3252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
229⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
230⤵
- Modifies registry class
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
231⤵
- Drops file in Windows directory
PID:4216

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
232⤵
- Modifies registry class
PID:4160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
233⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
234⤵
- Checks computer location settings
- Modifies registry class
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
235⤵
- Drops file in Windows directory
PID:3416

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
236⤵
- Drops file in Windows directory
PID:972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
237⤵
- Drops file in Windows directory
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
238⤵
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
239⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
240⤵
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
241⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
242⤵
- Checks computer location settings
PID:116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
243⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
244⤵
- Checks computer location settings
PID:3040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
245⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
246⤵
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
247⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
248⤵
- Modifies registry class
PID:2564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
249⤵
- Drops file in Windows directory
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
250⤵
- Modifies registry class
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
251⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
252⤵
- Checks computer location settings
- Modifies registry class
PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
253⤵
- Drops file in Windows directory
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
254⤵
PID:3528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
255⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
256⤵
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
257⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
258⤵
- Checks computer location settings
PID:116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
259⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
260⤵
- Drops file in Windows directory
- Modifies registry class
PID:452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
261⤵
- Drops file in Windows directory
PID:4216

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
262⤵
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
263⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
264⤵
- Checks computer location settings
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
265⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
266⤵
PID:5116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
267⤵
- Drops file in Windows directory
PID:3908

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
268⤵
- Modifies registry class
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
269⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
270⤵
- Modifies registry class
PID:4364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
271⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
272⤵
- Drops file in Windows directory
PID:3000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
273⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
274⤵
- Checks computer location settings
- Modifies registry class
PID:4612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
275⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
276⤵
- Modifies registry class
PID:4540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
277⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
278⤵
- Checks computer location settings
PID:3976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
279⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
280⤵
- Checks computer location settings
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
281⤵
- Drops file in Windows directory
PID:4716

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
282⤵
PID:2428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
283⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
284⤵
- Checks computer location settings
- Modifies registry class
PID:744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
285⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
286⤵
- Checks computer location settings
- Modifies registry class
PID:3532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
287⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
288⤵
PID:3040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
289⤵
- Drops file in Windows directory
PID:4860

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
290⤵
- Drops file in Windows directory
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
291⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
292⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
293⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
294⤵
- Modifies registry class
PID:3560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
295⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
296⤵
- Modifies registry class
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
297⤵
- Drops file in Windows directory
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
298⤵
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
299⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
300⤵
- Drops file in Windows directory
PID:3532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
301⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
302⤵
PID:4164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
303⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
304⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
305⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
306⤵
- Checks computer location settings
- Modifies registry class
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
307⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
308⤵
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
309⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
310⤵
- Modifies registry class
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
311⤵
- Drops file in Windows directory
PID:4616

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
312⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
313⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
314⤵
PID:4584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
315⤵
- Drops file in Windows directory
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
316⤵
PID:912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
317⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
318⤵
PID:4372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
319⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
320⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
321⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
322⤵
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
323⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
324⤵
PID:4516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
325⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
326⤵
- Checks computer location settings
- Modifies registry class
PID:4820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
327⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
328⤵
- Checks computer location settings
PID:1248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
329⤵
- Drops file in Windows directory
PID:4584

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
330⤵
- Modifies registry class
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
331⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
332⤵
PID:2572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
333⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
334⤵
PID:4960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
335⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
336⤵
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
337⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
338⤵
- Checks computer location settings
- Modifies registry class
PID:2152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
339⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
340⤵
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
341⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
342⤵
PID:3532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
343⤵
- Drops file in Windows directory
PID:2796

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
344⤵
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
345⤵
- Drops file in Windows directory
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
346⤵
PID:1252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
347⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
348⤵
- Drops file in Windows directory
- Modifies registry class
PID:3496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
349⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
350⤵
PID:2332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
351⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
352⤵
- Drops file in Windows directory
- Modifies registry class
PID:2288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
353⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
354⤵
- Modifies registry class
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
355⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
356⤵
PID:912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
357⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
358⤵
- Modifies registry class
PID:944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
359⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
360⤵
PID:3700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
361⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
362⤵
- Checks computer location settings
- Modifies registry class
PID:2976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
363⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
364⤵
- Checks computer location settings
PID:4028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
365⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
366⤵
- Checks computer location settings
PID:5080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
367⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
368⤵
- Checks computer location settings
- Modifies registry class
PID:2292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
369⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
370⤵
PID:4864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
371⤵
- Drops file in Windows directory
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
372⤵
- Checks computer location settings
- Modifies registry class
PID:972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
373⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
374⤵
- Checks computer location settings
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
375⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
376⤵
- Modifies registry class
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
377⤵
- Drops file in Windows directory
PID:4136

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
378⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
379⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
380⤵
- Modifies registry class
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
381⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
382⤵
- Checks computer location settings
PID:2608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE"
383⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\B7DE84~1.EXE
384⤵
PID:1180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
385⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3236,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4596

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5116

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3700

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
Filesize
366KB

MD5
60d1d70ce0e486291840f495dd204822

SHA1
2fdc59a7c003483c84af1bfb4b40852487f96a46

SHA256
590afbe437514646a30918a6dddff718adcfcd92f709bfcd983d7226f9ef4665

SHA512
979cb9e361562a1fd7651c80ee3c4da4b9547c34ab2a06c4d517a90a1a901a994b2f19d1e1cbc0696e6bef774ab54a5a2ba2aa401db3df235d39ae9caaccd68b

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\BHO\IE_TO_~1.EXE
Filesize
598KB

MD5
ac0d708bbcd017ea66c1e5342769247f

SHA1
80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832

SHA256
9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2

SHA512
4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\COOKIE~1.EXE
Filesize
202KB

MD5
59dfac4d3296abec3d7cb4b6a18aec5a

SHA1
a643c1e4d4186a66832203eeaddd739b3eda3cec

SHA256
33cea01cec18ac92aa5fb139c6582b364e3433c66f1f2e990f62b428ee249f33

SHA512
8345092a50c4482f803e43aabd57171d52e587e3265b56b7b41a1c847b18090b74e741c66b05dc46a2c87bf8b2f338825bc45dda0d15e5bc842ab40d4a30e7f2

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\MSEDGE~2.EXE
Filesize
1.3MB

MD5
fc3622c190003839a2dc11c8ee0606b5

SHA1
bcabad43d44ca4ef5b5e1724c5cba2f538fcd9b0

SHA256
c2da0bd463ffbfaa67f49830740207468164afd5e56fd7c75109de0fd82d6313

SHA512
091aa3050a28e91d2017d3146dc7bbc0989b470ac015550d82d6592e32c1125b7f4dd1d712f7912e3aeb90aac1f065fbad632f8ab4fb1e4caa599fe4bcd0c9a1

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\NOTIFI~1.EXE
Filesize
1.5MB

MD5
35a7ae8cc07eac7a49f03d45fd446620

SHA1
a13ea61f68a48b7797038c8a517d92e99fcc4866

SHA256
f5c9e992eb29062f27f8a1a569d8be337f38a2dc5935a5457133036c72e911d2

SHA512
8b980ff267d843b16f0c1b69d8cbfaff3eef3cd6b9917049acd78a6bcd4e56c6402a81b706543595618d034345bd4a250248411daff9863f250359f5a081cb15

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\PWAHEL~1.EXE
Filesize
1.2MB

MD5
845705026ff8f5de0faf8dbe21af17bd

SHA1
f206a88626d19d7c403ef89df86562d5f4f24ed4

SHA256
9e502b3fffdeacabc600f39cc176c3d31e19dfbb9036d30177e164d96ba5278f

SHA512
79bc46c1d00d373e9b6f33385330b62a7f1447300721ed356c0fc235ec3e5c79a55fb740591d54259828f2b804898e4fb078ffc3bffbbe3980d6c1224aa4d3be

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\msedge.exe
Filesize
3.9MB

MD5
f72b423cf9cc798732925eed3cf2e60c

SHA1
79704a4604020a0f6e7ae63d1be486cdbe08e061

SHA256
a978d5aa986b25b229b3c45120b9cac1f223497cfb870c869b86aedcdc4602f1

SHA512
0d72aaf9fa6acc92da60c34f59c72fa07ec5d857dfeea114613bc94de44154fa2d6a94aa8dea47a8212e74776c76b8cc2049f787d726361400521f724458c55f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe
Filesize
6.8MB

MD5
3c6af29363b09b1fe010b098eb483da8

SHA1
a3eb972dad6881268d5aec7db7a5b3112d0d5f82

SHA256
82ff701fb161ceff3a018b7a744a71c9e88b7009e32792499b742c2b0a88ec01

SHA512
6fbff42fca39c93a972e55b227f05a507ea494a4cd22a0e09c578c144bb9bc3eea9ab8402ffa1f1c7e10bd53c4384e68049aeb51d729629cc9f0624d0fd747fa

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe
Filesize
1.8MB

MD5
f6d23b507a70dc334edc1f7a83f23f35

SHA1
faad9c7cc838feca898f79a59ee3fc172b4c793b

SHA256
66c7ddec71930588f69aa9b2ea682a4b5e166ff4d12e3a053b6bc73b44f24992

SHA512
cce30fb7085c6b833532b5d64c6d2c9af9a5dd9b1b74832a2c526ea1944c360bbdb7e0d65de6f9db068a650c0abcd65490e33240618e8e8fd0da0348dd00022d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe
Filesize
1.2MB

MD5
f4c739b8d39e94691f85aca0f3007eed

SHA1
8f0ba5301a025835a024dcf9312fdddf8d49cba2

SHA256
95cfee63090a0368c1d5e49a7e6d3b0f219a6ff1fb4e835bbab9e7689d273d47

SHA512
ef35fb3857a8a192223bf5f49cd9f7a4007fbb5c34171a3f42900dad1db7b4d1b20804b2c1c296ad4950942d0a92c4d5ab8e495aeed0e350bc4f216cdfff8b4b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe
Filesize
3.5MB

MD5
8d02e12a6e12a15882584f2ce59c93cb

SHA1
d868bf3c491e5f8cd1c9dd0e11f962408053a655

SHA256
0eb172c21b63cce9fb42a2692a2b298c2e9800ff0d74994956d8bd82029ec897

SHA512
19155cdd269430f6f2c88a3e404f099548166a0f7c333148db38dbee964323b51e6b90715b2d2d16f786a1b59147f74160e308eb66bc737a9fd26a7b3485247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b7de84462688cd19db902ace0479afb0_NeikiAnalytics.exe
Filesize
89KB

MD5
6b96ccfc2148a36288bad6d898db8a64

SHA1
d5f1c6cd9b80ab91f95ae45a0eedc719a475e11a

SHA256
7494bd2af8789ec2e27f443b6e931361765cbc1cd6e3ec094232a2ea36b89396

SHA512
268205e89b801c0d4e3d11a75779dca436fa265949876d4085c20207a1b43542d37dd87b1aa4afc34c682b80fe628e6d48be01b8826cccfc4469bbb9fc978d1d

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
63041b7c4840abc49f2e0e26957e3e1f

SHA1
039b8300d0ab092c7291a061a98acf9b7357b979

SHA256
a4f81d8cfc8bb12324a1b7e271b53b71bc58dda1df37551f7a16157ab572c0c4

SHA512
c0b7655b3833e16ec1c775ee01051d0049e84a6b826e6a48f380897a684e2ec64278e483c2ab9046f769d8131180ff9faa7c60baa0a08762e0d6306ff863cf72

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
076d7aaf36ed85a21a5cd85d3cce6b4b

SHA1
50125a8d0e54aacc753b1eef5828ca640836a54e

SHA256
c6448bebf9ae4a5dd4656adea4d10c24748ba112002bddd8b62fe3d5b3041c0a

SHA512
b6fb4f997a0afa5510f283404cf6439a605379704e9290413fdc258a668d26ebf6ac61715a4e7c78103df729de51c670083826e3979e8696b2660dbeed333b2c

Download Submit
memory/212-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/212-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/432-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/436-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/452-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/644-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/808-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/840-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1056-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1248-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1360-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1360-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1392-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1500-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1512-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1884-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1904-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2436-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3100-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3292-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3320-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3380-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3380-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3500-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3724-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3764-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3840-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3924-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4020-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4172-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4320-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4376-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4584-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4624-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4720-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4724-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4772-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4816-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4828-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4832-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4900-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5012-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download