neshta | ed3c3aa7f66a97e2d64748237f273cb53b4c0fd1958a79616ea04b71ce967b81

Analysis

max time kernel
128s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
Size

743KB
MD5

ea1945ffcabaf8e83ed804e7e023a470
SHA1

a44f5d65b356640660739a14dcf87eaecd1a978e
SHA256

ed3c3aa7f66a97e2d64748237f273cb53b4c0fd1958a79616ea04b71ce967b81
SHA512

df84338b6996d1ec86be4f53064456e11fd20b97b7f51d2915bbd1f6a3a5528e1ca39e9ce1f42c720939948f249378abe1f4ef9905ec046ea2fdf5519f974641
SSDEEP

12288:Lp19R+7qkoVXJLwOh2NCSVXL93RK2Mhn+6sWtNivMv:Lp1z+7qpVXJ8lCWYh+TcNiK

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/3916-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/32-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/376-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4776-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3152-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2420-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2396-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3576-62-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2060-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/760-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3504-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3612-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4352-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
behavioral2/memory/1128-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2268-134-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1584-136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1292-146-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1956-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2520-160-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{97D61~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe	family_neshta
behavioral2/memory/2076-228-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1756-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	family_neshta
behavioral2/memory/3856-254-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5004-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3444-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1176-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3152-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4136-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/824-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2464-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-297-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3460-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4692-305-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/928-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3504-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3456-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4628-321-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/640-328-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1128-331-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4120-337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1584-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4672-345-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3892-352-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3464-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1836-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4448-361-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exeEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EA1945~1.EXE

Executes dropped EXE 64 IoCs

Processes:

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exesvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.com

pid	process
1156	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
3916	svchost.com
32	EA1945~1.EXE
376	svchost.com
4776	EA1945~1.EXE
3152	svchost.com
2420	EA1945~1.EXE
2396	svchost.com
3576	EA1945~1.EXE
4444	svchost.com
2060	EA1945~1.EXE
760	svchost.com
3504	EA1945~1.EXE
3612	svchost.com
4352	EA1945~1.EXE
1128	svchost.com
2268	EA1945~1.EXE
1584	svchost.com
1292	EA1945~1.EXE
1956	svchost.com
2520	EA1945~1.EXE
2076	svchost.com
1756	EA1945~1.EXE
3856	svchost.com
5004	EA1945~1.EXE
3444	svchost.com
1176	EA1945~1.EXE
3152	svchost.com
4136	EA1945~1.EXE
824	svchost.com
2464	EA1945~1.EXE
4444	svchost.com
3460	EA1945~1.EXE
4692	svchost.com
928	EA1945~1.EXE
3504	svchost.com
3456	EA1945~1.EXE
4628	svchost.com
640	EA1945~1.EXE
440	svchost.com
1128	EA1945~1.EXE
4120	svchost.com
1584	EA1945~1.EXE
4672	svchost.com
3892	EA1945~1.EXE
3464	svchost.com
1836	EA1945~1.EXE
4448	svchost.com
3244	EA1945~1.EXE
3960	svchost.com
2936	EA1945~1.EXE
3208	svchost.com
1876	EA1945~1.EXE
4416	svchost.com
1092	EA1945~1.EXE
4432	svchost.com
572	EA1945~1.EXE
4372	svchost.com
1792	EA1945~1.EXE
3644	svchost.com
1232	EA1945~1.EXE
3404	svchost.com
3260	EA1945~1.EXE
2600	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exeea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

Processes:

EA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comEA1945~1.EXEsvchost.comsvchost.comsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEsvchost.comsvchost.comsvchost.comEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEsvchost.comEA1945~1.EXEEA1945~1.EXEsvchost.comsvchost.comEA1945~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	EA1945~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EA1945~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

EA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXEEA1945~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	EA1945~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exeea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exesvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXEsvchost.comEA1945~1.EXE

description	pid	process	target process
PID 3204 wrote to memory of 1156	3204	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
PID 3204 wrote to memory of 1156	3204	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
PID 3204 wrote to memory of 1156	3204	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
PID 1156 wrote to memory of 3916	1156	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	svchost.com
PID 1156 wrote to memory of 3916	1156	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	svchost.com
PID 1156 wrote to memory of 3916	1156	ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe	svchost.com
PID 3916 wrote to memory of 32	3916	svchost.com	EA1945~1.EXE
PID 3916 wrote to memory of 32	3916	svchost.com	EA1945~1.EXE
PID 3916 wrote to memory of 32	3916	svchost.com	EA1945~1.EXE
PID 32 wrote to memory of 376	32	EA1945~1.EXE	svchost.com
PID 32 wrote to memory of 376	32	EA1945~1.EXE	svchost.com
PID 32 wrote to memory of 376	32	EA1945~1.EXE	svchost.com
PID 376 wrote to memory of 4776	376	svchost.com	EA1945~1.EXE
PID 376 wrote to memory of 4776	376	svchost.com	EA1945~1.EXE
PID 376 wrote to memory of 4776	376	svchost.com	EA1945~1.EXE
PID 4776 wrote to memory of 3152	4776	EA1945~1.EXE	svchost.com
PID 4776 wrote to memory of 3152	4776	EA1945~1.EXE	svchost.com
PID 4776 wrote to memory of 3152	4776	EA1945~1.EXE	svchost.com
PID 3152 wrote to memory of 2420	3152	svchost.com	EA1945~1.EXE
PID 3152 wrote to memory of 2420	3152	svchost.com	EA1945~1.EXE
PID 3152 wrote to memory of 2420	3152	svchost.com	EA1945~1.EXE
PID 2420 wrote to memory of 2396	2420	EA1945~1.EXE	svchost.com
PID 2420 wrote to memory of 2396	2420	EA1945~1.EXE	svchost.com
PID 2420 wrote to memory of 2396	2420	EA1945~1.EXE	svchost.com
PID 2396 wrote to memory of 3576	2396	svchost.com	EA1945~1.EXE
PID 2396 wrote to memory of 3576	2396	svchost.com	EA1945~1.EXE
PID 2396 wrote to memory of 3576	2396	svchost.com	EA1945~1.EXE
PID 3576 wrote to memory of 4444	3576	EA1945~1.EXE	svchost.com
PID 3576 wrote to memory of 4444	3576	EA1945~1.EXE	svchost.com
PID 3576 wrote to memory of 4444	3576	EA1945~1.EXE	svchost.com
PID 4444 wrote to memory of 2060	4444	svchost.com	EA1945~1.EXE
PID 4444 wrote to memory of 2060	4444	svchost.com	EA1945~1.EXE
PID 4444 wrote to memory of 2060	4444	svchost.com	EA1945~1.EXE
PID 2060 wrote to memory of 760	2060	EA1945~1.EXE	svchost.com
PID 2060 wrote to memory of 760	2060	EA1945~1.EXE	svchost.com
PID 2060 wrote to memory of 760	2060	EA1945~1.EXE	svchost.com
PID 760 wrote to memory of 3504	760	svchost.com	svchost.com
PID 760 wrote to memory of 3504	760	svchost.com	svchost.com
PID 760 wrote to memory of 3504	760	svchost.com	svchost.com
PID 3504 wrote to memory of 3612	3504	EA1945~1.EXE	svchost.com
PID 3504 wrote to memory of 3612	3504	EA1945~1.EXE	svchost.com
PID 3504 wrote to memory of 3612	3504	EA1945~1.EXE	svchost.com
PID 3612 wrote to memory of 4352	3612	svchost.com	EA1945~1.EXE
PID 3612 wrote to memory of 4352	3612	svchost.com	EA1945~1.EXE
PID 3612 wrote to memory of 4352	3612	svchost.com	EA1945~1.EXE
PID 4352 wrote to memory of 1128	4352	EA1945~1.EXE	EA1945~1.EXE
PID 4352 wrote to memory of 1128	4352	EA1945~1.EXE	EA1945~1.EXE
PID 4352 wrote to memory of 1128	4352	EA1945~1.EXE	EA1945~1.EXE
PID 1128 wrote to memory of 2268	1128	svchost.com	EA1945~1.EXE
PID 1128 wrote to memory of 2268	1128	svchost.com	EA1945~1.EXE
PID 1128 wrote to memory of 2268	1128	svchost.com	EA1945~1.EXE
PID 2268 wrote to memory of 1584	2268	EA1945~1.EXE	EA1945~1.EXE
PID 2268 wrote to memory of 1584	2268	EA1945~1.EXE	EA1945~1.EXE
PID 2268 wrote to memory of 1584	2268	EA1945~1.EXE	EA1945~1.EXE
PID 1584 wrote to memory of 1292	1584	svchost.com	EA1945~1.EXE
PID 1584 wrote to memory of 1292	1584	svchost.com	EA1945~1.EXE
PID 1584 wrote to memory of 1292	1584	svchost.com	EA1945~1.EXE
PID 1292 wrote to memory of 1956	1292	EA1945~1.EXE	svchost.com
PID 1292 wrote to memory of 1956	1292	EA1945~1.EXE	svchost.com
PID 1292 wrote to memory of 1956	1292	EA1945~1.EXE	svchost.com
PID 1956 wrote to memory of 2520	1956	svchost.com	EA1945~1.EXE
PID 1956 wrote to memory of 2520	1956	svchost.com	EA1945~1.EXE
PID 1956 wrote to memory of 2520	1956	svchost.com	EA1945~1.EXE
PID 2520 wrote to memory of 2076	2520	EA1945~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\3582-490\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
23⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
24⤵
- Checks computer location settings
- Executes dropped EXE
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
25⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
26⤵
- Executes dropped EXE
PID:5004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
27⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
29⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
31⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
33⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
34⤵
- Checks computer location settings
- Executes dropped EXE
PID:3460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
35⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
36⤵
- Executes dropped EXE
PID:928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
37⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
38⤵
- Executes dropped EXE
- Modifies registry class
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
39⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
40⤵
- Executes dropped EXE
PID:640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
41⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:440

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
42⤵
- Executes dropped EXE
- Modifies registry class
PID:1128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
43⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
45⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
46⤵
- Executes dropped EXE
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
47⤵
- Executes dropped EXE
PID:3464

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
49⤵
- Executes dropped EXE
PID:4448

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
50⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
51⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
52⤵
- Checks computer location settings
- Executes dropped EXE
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
53⤵
- Executes dropped EXE
PID:3208

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
54⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
55⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
57⤵
- Executes dropped EXE
PID:4432

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
58⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
59⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
61⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
62⤵
- Executes dropped EXE
- Modifies registry class
PID:1232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3404

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
64⤵
- Checks computer location settings
- Executes dropped EXE
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
65⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
66⤵
- Modifies registry class
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
67⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
68⤵
- Checks computer location settings
- Modifies registry class
PID:4468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
69⤵
- Drops file in Windows directory
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
70⤵
- Drops file in Windows directory
- Modifies registry class
PID:1116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
71⤵
- Drops file in Windows directory
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
72⤵
- Checks computer location settings
PID:4352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
73⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
74⤵
PID:1688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
75⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
76⤵
- Modifies registry class
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
77⤵
- Drops file in Windows directory
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
78⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
79⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
80⤵
- Checks computer location settings
PID:4840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
81⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
82⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
83⤵
- Drops file in Windows directory
PID:428

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
84⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
85⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
86⤵
- Checks computer location settings
PID:3208

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
87⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
88⤵
- Checks computer location settings
PID:3240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
89⤵
- Drops file in Windows directory
PID:1756

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
90⤵
PID:3212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
91⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
92⤵
- Checks computer location settings
- Modifies registry class
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
93⤵
- Drops file in Windows directory
PID:3444

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
94⤵
- Checks computer location settings
- Drops file in Windows directory
PID:688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
95⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
96⤵
- Drops file in Windows directory
PID:3388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
97⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
98⤵
- Checks computer location settings
PID:1460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
99⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
100⤵
PID:4308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
101⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
102⤵
- Checks computer location settings
- Modifies registry class
PID:3812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
103⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
104⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
105⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
106⤵
- Modifies registry class
PID:4140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
107⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
108⤵
PID:984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
109⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
110⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
111⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
112⤵
- Checks computer location settings
- Modifies registry class
PID:2388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
113⤵
- Drops file in Windows directory
PID:2620

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
114⤵
- Checks computer location settings
- Modifies registry class
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
115⤵
- Drops file in Windows directory
PID:4356

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
116⤵
- Checks computer location settings
PID:4968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
117⤵
- Drops file in Windows directory
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
118⤵
- Checks computer location settings
PID:412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
119⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
120⤵
- Checks computer location settings
PID:3036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
121⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
122⤵
- Modifies registry class
PID:3828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
123⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
124⤵
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
125⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
126⤵
- Checks computer location settings
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
127⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
128⤵
PID:1532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
129⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
130⤵
- Drops file in Windows directory
- Modifies registry class
PID:4936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
131⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
132⤵
- Modifies registry class
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
133⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
134⤵
- Modifies registry class
PID:8

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
135⤵
- Drops file in Windows directory
PID:4140

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
136⤵
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
137⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
138⤵
- Checks computer location settings
- Modifies registry class
PID:3524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
139⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
140⤵
- Checks computer location settings
- Modifies registry class
PID:3244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
141⤵
- Drops file in Windows directory
PID:556

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
142⤵
- Checks computer location settings
- Modifies registry class
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
143⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
144⤵
- Modifies registry class
PID:4960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
145⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
146⤵
- Modifies registry class
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
147⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
148⤵
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
149⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
150⤵
PID:2384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
151⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
152⤵
- Checks computer location settings
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
153⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
154⤵
- Checks computer location settings
- Modifies registry class
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
155⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
156⤵
- Modifies registry class
PID:4468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
157⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
158⤵
- Checks computer location settings
PID:2000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
159⤵
- Drops file in Windows directory
PID:3544

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
160⤵
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
161⤵
- Drops file in Windows directory
PID:1292

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
162⤵
- Modifies registry class
PID:1688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
163⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
164⤵
- Checks computer location settings
PID:1872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
165⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
166⤵
- Drops file in Windows directory
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
167⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
168⤵
- Checks computer location settings
- Modifies registry class
PID:4928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
169⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
170⤵
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
171⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
172⤵
- Checks computer location settings
- Modifies registry class
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
173⤵
- Drops file in Windows directory
PID:5016

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
174⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
175⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
176⤵
- Modifies registry class
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
177⤵
- Drops file in Windows directory
PID:3788

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
178⤵
PID:1084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
179⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
180⤵
- Checks computer location settings
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
181⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
182⤵
- Modifies registry class
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
183⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
184⤵
PID:1008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
185⤵
- Drops file in Windows directory
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
186⤵
- Checks computer location settings
- Modifies registry class
PID:4456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
187⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
188⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
189⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
190⤵
- Modifies registry class
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
191⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
192⤵
- Drops file in Windows directory
PID:4228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
193⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
194⤵
- Checks computer location settings
- Modifies registry class
PID:4844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
195⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
196⤵
- Modifies registry class
PID:3932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
197⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
198⤵
- Checks computer location settings
- Drops file in Windows directory
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
199⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
200⤵
- Checks computer location settings
- Modifies registry class
PID:3700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
201⤵
- Drops file in Windows directory
PID:2808

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
202⤵
PID:4368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
203⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
204⤵
- Modifies registry class
PID:2724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
205⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
206⤵
PID:5024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
207⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
208⤵
- Drops file in Windows directory
PID:2608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
209⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
210⤵
PID:2656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
211⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
212⤵
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
213⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
214⤵
- Checks computer location settings
- Modifies registry class
PID:1872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
215⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
216⤵
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
217⤵
- Drops file in Windows directory
PID:2520

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
218⤵
- Checks computer location settings
- Modifies registry class
PID:2456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
219⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
220⤵
- Checks computer location settings
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
221⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
222⤵
- Modifies registry class
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
223⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
224⤵
- Modifies registry class
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
225⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
226⤵
PID:2884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
227⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
228⤵
- Drops file in Windows directory
- Modifies registry class
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
229⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
230⤵
PID:2668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
231⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
232⤵
- Modifies registry class
PID:3788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
233⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
234⤵
PID:984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
235⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
236⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
237⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
238⤵
- Modifies registry class
PID:1380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
239⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
240⤵
- Modifies registry class
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
241⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
242⤵
- Modifies registry class
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
243⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
244⤵
- Checks computer location settings
PID:4960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
245⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
246⤵
- Modifies registry class
PID:1924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
247⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
248⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
249⤵
- Drops file in Windows directory
PID:1548

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
250⤵
- Drops file in Windows directory
- Modifies registry class
PID:2792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
251⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
252⤵
- Checks computer location settings
PID:5096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
253⤵
- Drops file in Windows directory
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
254⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
255⤵
- Drops file in Windows directory
PID:2932

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
256⤵
PID:2000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
257⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
258⤵
- Modifies registry class
PID:3908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
259⤵
- Drops file in Windows directory
PID:3804

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
260⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
261⤵
- Drops file in Windows directory
PID:5092

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
262⤵
- Checks computer location settings
PID:3136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
263⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
264⤵
PID:3244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
265⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
266⤵
- Drops file in Windows directory
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
267⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
268⤵
- Checks computer location settings
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
269⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
270⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
271⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
272⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
273⤵
- Drops file in Windows directory
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
274⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
275⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
276⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
277⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
278⤵
- Checks computer location settings
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
279⤵
- Drops file in Windows directory
PID:816

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
280⤵
PID:4140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
281⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
282⤵
- Checks computer location settings
- Modifies registry class
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
283⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
284⤵
- Drops file in Windows directory
- Modifies registry class
PID:3124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
285⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
286⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
287⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
288⤵
PID:2240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
289⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
290⤵
- Checks computer location settings
PID:556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
291⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
292⤵
- Checks computer location settings
- Modifies registry class
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
293⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
294⤵
- Modifies registry class
PID:2712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
295⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
296⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
297⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
298⤵
- Checks computer location settings
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
299⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
300⤵
- Drops file in Windows directory
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
301⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
302⤵
- Checks computer location settings
PID:4384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE"
303⤵
- Drops file in Windows directory
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\EA1945~1.EXE
304⤵
PID:1532

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3340

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3828

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
558KB

MD5
15f4411f1b14234b5bed948ed78fa86e

SHA1
f9775a3d87efb22702d934322ffcda3511b79c17

SHA256
cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e

SHA512
c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
814KB

MD5
1871539ce7d10fa86a69d88817c88699

SHA1
77cd85e3be185549f58b9717d2ba442bbb4b3702

SHA256
5fa917ecb3603cec549bc4ba0b23b1a028100322e6f07bb1bc8f4c101fac38db

SHA512
1ab5408adad0fcbc95018ad748a7561e72897f866eab85318ce2ccdbadd7a3a5622ee31d7903d2d9ad9dece3d81acdbdb32807e62824b8a36fd13ec1484fb44a

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
Filesize
325KB

MD5
0511abca39ed6d36fff86a8b6f2266cd

SHA1
bfe55ac898d7a570ec535328b6283a1cdfa33b00

SHA256
76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8

SHA512
6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe
Filesize
546KB

MD5
e9fb27bf62ef26b3288b5fe9ddf2f482

SHA1
eb4908aa50c11ae43df2fbdb0c80ddd41443624e

SHA256
9ea04cf00d8c01e4099195e5289c2e8221cdb7217c773222d1a55473b854f1b3

SHA512
89fc0a4d2fa078315ca25ddeeaaa911ffb82d10669b0987d9bd67b149e09d73d0c356c656a519be7d65b93da831ea9da4f7617595ec01697390ca8bb00743ffa

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{97D61~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe
Filesize
1.6MB

MD5
0a17ce73dce10a28856c9f5ad052a4df

SHA1
467522c87a4e3fd1f7b690aaeaa57cfa0b407bb0

SHA256
1971d71fd68cf61420813b19b577184efa918c556cf131ab27359d6af6dc0656

SHA512
7c038dcedc4d8c58f3dbe0d36e5670d04aa24b452547dfd2bb7cebc69d25d0fefb59a788ae356f95db427ff1391604643cba7600f1d84c181ba09b3d25290f25

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
550KB

MD5
96139c14b977d1c467630b436b092129

SHA1
9cefa1b1f0cd9ab78855ffc4436cdbf93d3261b1

SHA256
e592bb4e6dbde3b35f7c7bd111c78a3211ced64ef543d0c9ec98471929145748

SHA512
de2a61c19b0bcec32228845ced9dac980d1e54168c78e073473ecf9b97e22f80770ab0aa2f2a36e06f323abc33124c874d52e5e2bc70a69d3bd2128e52b7493b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE
Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ea1945ffcabaf8e83ed804e7e023a470_NeikiAnalytics.exe
Filesize
702KB

MD5
8520a3a0e0d1f5fe67b248b4dd75e321

SHA1
4ec9545c09363db4df1966631a17c5c19794c39a

SHA256
47af834494717938d51a0b05097acefda202e80602f6abd2bb1bd739087cab4a

SHA512
e73ec5420f6120de62cf958ff98fbec6437e9b109485ad6d2435f8ee2e11e515b3ffe3fd1386cf4f14f2743efd2b8654170c12118496be7ad29ea9f4ae4965ad

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
2fc7df77f86c94f155c4994eeeaaf60c

SHA1
ca24604ead08c0e676de920ba7329dfc4ad701a3

SHA256
624fdf984788063fca7331e92058bf2e3d1f17d864ce3c4219ff1d7813696f4b

SHA512
2c2bffb397f6c7d861f67c695d568ac1a2ae0f43840af0a88db57cb6f6f24c976baaf7d73cc4141404d57919a08712c6c7b444e29d6f6745abf90fbaadd619e8

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
34aa6ed23ca1ab7a34ee03c8d3534534

SHA1
00faf8958e3f47959fac1fbb63a2dfc9327b90f8

SHA256
3125839ecbcd9fcaa01c51674c531b0c7976c49cbbbd33897e266b37cdb9d1e2

SHA512
d85ce8070488d95eb46ed1adb5ebe55fc21a925449d82947b1e3f65fb7b3a74c09fa4eb9ff3a9f93527057b74fc55dc1823ab06c150afa50379ff0efc23f3cb0

Download Submit
memory/32-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/376-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/572-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/640-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/760-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/824-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/928-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1128-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1232-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1292-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1584-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1584-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1956-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3208-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3244-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3260-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3404-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3456-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3460-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3464-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3612-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3856-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3916-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3960-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4120-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4136-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4352-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4372-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4416-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4672-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4692-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4776-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5004-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5048-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download