Overview
overview
10Static
static
10GlobalProt...th.dll
windows7-x64
1GlobalProt...th.dll
windows10-2004-x64
1GlobalProt...64.dll
windows7-x64
1GlobalProt...64.dll
windows10-2004-x64
1GlobalProt...ip.dll
windows7-x64
1GlobalProt...ip.dll
windows10-2004-x64
1GlobalProt...fs.jar
windows7-x64
1GlobalProt...fs.jar
windows10-2004-x64
1GlobalProt...er.jar
windows7-x64
1GlobalProt...er.jar
windows10-2004-x64
1GlobalProt...ce.dll
windows7-x64
3GlobalProt...ce.dll
windows10-2004-x64
3GlobalProt...ce.dll
windows7-x64
5GlobalProt...ce.dll
windows10-2004-x64
5GlobalProt...n.html
windows7-x64
3GlobalProt...n.html
windows10-2004-x64
5GlobalProt...EN.exe
windows7-x64
1GlobalProt...EN.exe
windows10-2004-x64
1GlobalProt...N.html
windows7-x64
3GlobalProt...N.html
windows10-2004-x64
5GlobalProt...W.html
windows7-x64
3GlobalProt...W.html
windows10-2004-x64
5GlobalProt...im.dll
windows7-x64
5GlobalProt...im.dll
windows10-2004-x64
5GlobalProt...sc.dll
windows7-x64
5GlobalProt...sc.dll
windows10-2004-x64
5GlobalProt....1.jar
windows7-x64
1GlobalProt....1.jar
windows10-2004-x64
1GlobalProt....0.jar
windows7-x64
7GlobalProt....0.jar
windows10-2004-x64
7GlobalProt....0.jar
windows7-x64
1GlobalProt....0.jar
windows10-2004-x64
1Analysis
-
max time kernel
1442s -
max time network
1458s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 09:06
Behavioral task
behavioral1
Sample
GlobalProtect64/jre/bin/w2k_lsa_auth.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
GlobalProtect64/jre/bin/w2k_lsa_auth.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
GlobalProtect64/jre/bin/windowsaccessbridge-64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
GlobalProtect64/jre/bin/windowsaccessbridge-64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
GlobalProtect64/jre/bin/zip.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
GlobalProtect64/jre/bin/zip.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
GlobalProtect64/jre/lib/jrt-fs.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
GlobalProtect64/jre/lib/jrt-fs.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
GlobalProtect64/launcher.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
GlobalProtect64/launcher.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
GlobalProtect64/lib32/RTDService.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
GlobalProtect64/lib32/RTDService.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
GlobalProtect64/lib64/RTDService.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
GlobalProtect64/lib64/RTDService.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
GlobalProtect64/license_en.html
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral16
Sample
GlobalProtect64/license_en.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
GlobalProtect64/license_us_EN.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
GlobalProtect64/license_us_EN.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
GlobalProtect64/license_zh_CN.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
GlobalProtect64/license_zh_CN.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
GlobalProtect64/license_zh_TW.html
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
GlobalProtect64/license_zh_TW.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
GlobalProtect64/npthinkorswim.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
GlobalProtect64/npthinkorswim.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
GlobalProtect64/nptossc.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
GlobalProtect64/nptossc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
GlobalProtect64/suit/1979.1.503/VeracodeAnnotations-1.2.1.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
GlobalProtect64/suit/1979.1.503/VeracodeAnnotations-1.2.1.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
GlobalProtect64/suit/1979.1.503/jna-5.7.0.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
GlobalProtect64/suit/1979.1.503/jna-5.7.0.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
GlobalProtect64/suit/1979.1.503/jna-platform-5.7.0.jar
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
GlobalProtect64/suit/1979.1.503/jna-platform-5.7.0.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
GlobalProtect64/npthinkorswim.dll
-
Size
905KB
-
MD5
98f22818f5536375e206ee86a5665a68
-
SHA1
246a6abffbcd718a609eddcd7d7c916ed58c3f66
-
SHA256
52ff17f854cd064698b54c8381bdddbe29791a9b582decbd7894fb3472cd56da
-
SHA512
76a673757bde180c530ba4ef8b5aec9e58014596d86982d8ec62e10facf17ebc36d5bef935d248c424b36d147fca86c1b5ac033549a0c00d08c39246baa93e42
-
SSDEEP
24576:qO3ZsjnZqTL8FRJUL+xpPNQRQa3E09kNXKM26pF7U+LFCB+WERgpeT:tXTL8a9cvU+LUkWIgpe
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim.1\ = "thinkorswim loader" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim.1\CLSID\ = "{79b4acff-94d2-58c5-baf6-23df99c7fcba}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\ = "IFBComEventSource" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\AppID\npthinkorswim.dll regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME\Database\Content Type regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\Control regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim\CurVer regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\Version regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME\Database\Content Type\application/x-thinkorswim\ = "thinkorswim loader" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\ProgID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GlobalProtect64" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\ = "IFBComJavascriptObject" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\AppID\{B415CD14-B45D-4BCA-B552-B06175C38606} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\AppID\{B415CD14-B45D-4BCA-B552-B06175C38606}\ = "FireBreathWin" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GlobalProtect64\\npthinkorswim.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\InprocServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7FA3BDF1-DDC6-5B96-98D2-E6D97AC857D0}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim.1\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\Version\ = "1" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\ = "thinkorswim 1.0 Type Library" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{AA90F309-5AC8-5053-9EE6-FDE0130F42D7}\ = "IFBComJavascriptObject" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{F2BAA0B2-3EB7-5D91-98D4-2E554F201A7B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME\Database\Content Type\application/x-thinkorswim regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME\Database\Content Type\application/x-thinkorswim\Extension regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\MIME\Database\Content Type\application/x-thinkorswim\CLSID = "{79b4acff-94d2-58c5-baf6-23df99c7fcba}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TDAmeritrade.thinkorswim.1 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\TypeLib\ = "{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{A6B6ACA6-7535-5FA5-8262-486818D7A5B6}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\Programmable regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29 PID 3052 wrote to memory of 2556 3052 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\GlobalProtect64\npthinkorswim.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\GlobalProtect64\npthinkorswim.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2556
-