Overview
overview
10Static
static
3Setup.exe
windows7-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
10Setup.exe
windows11-21h2-x64
Chrome.exe
windows10-2004-x64
10Chrome.exe
windows7-x64
10Chrome.exe
windows10-1703-x64
10Chrome.exe
windows10-2004-x64
10Chrome.exe
windows11-21h2-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows7-x64
3Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows11-21h2-x64
3Analysis
-
max time kernel
190s -
max time network
222s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 15:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win7-20231129-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
13 signatures
1800 seconds
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win11-20240419-en
windows11-21h2-x64
13 signatures
1800 seconds
Behavioral task
behavioral6
Sample
Chrome.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral7
Sample
Chrome.exe
Resource
win7-20240419-en
windows7-x64
10 signatures
1800 seconds
Behavioral task
behavioral8
Sample
Chrome.exe
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
1800 seconds
Behavioral task
behavioral9
Sample
Chrome.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral10
Sample
Chrome.exe
Resource
win11-20240419-en
windows11-21h2-x64
10 signatures
1800 seconds
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral13
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
9 signatures
1800 seconds
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral15
Sample
Setup.exe
Resource
win11-20240412-en
windows11-21h2-x64
1 signatures
1800 seconds
General
-
Target
Setup.exe
-
Size
22.5MB
-
MD5
a4e313952f14d899867d53c80335dce3
-
SHA1
7703d0a9725dea829dd023d9575322ccae81319c
-
SHA256
9e60d8f8d14a520f023015e9b7e1254756a0bbebe294707cd705f5262b2e07b5
-
SHA512
018a2cc0841fd568d2fe3ade35f708dcb06d9ce148a3c085ccdcb70ab51999f7167b57f5c45c665758cfc72371a5bac002425241d3d89639382fc706a325059e
-
SSDEEP
393216:7qwr6Kwzs3OQs5rmJdW96tBbcQR+yu/tKWao+L37GcrKCUcrfuqIC:7qwFwzs+Q6ridk+hcQR+yusk+LLxrKCv
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
haxorbaba.duckdns.org:1604
Mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
Attributes
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2984 Chrome.exe 2844 Chrome.exe 2676 Chrome.exe 2928 Chrome.exe 2604 Chrome.exe 2532 Chrome.exe 2136 Chrome.exe 2488 Chrome.exe 3024 Chrome.exe 2108 Chrome.exe 3028 Chrome.exe 2832 Chrome.exe 2908 Chrome.exe 2808 Chrome.exe 2892 Chrome.exe 1656 Chrome.exe 472 Chrome.exe 1492 Chrome.exe 412 Chrome.exe 2168 Chrome.exe 992 Chrome.exe 292 Chrome.exe 892 Chrome.exe 644 Chrome.exe 2288 Chrome.exe 1732 Chrome.exe 2244 Chrome.exe 1596 Chrome.exe 1712 Chrome.exe 2068 Chrome.exe 2616 Chrome.exe 2788 Chrome.exe 2464 Chrome.exe 1164 Chrome.exe 2768 Chrome.exe 2752 Chrome.exe 2624 Chrome.exe 952 Chrome.exe 2588 Chrome.exe 2512 Chrome.exe 3040 Chrome.exe 1332 Chrome.exe 1800 Chrome.exe 2736 Chrome.exe 1204 Chrome.exe 716 Chrome.exe 1976 Chrome.exe 1668 Chrome.exe 1448 Chrome.exe 1080 Chrome.exe 472 Chrome.exe 1704 Chrome.exe 1168 Chrome.exe 2160 Chrome.exe 892 Chrome.exe 2096 Chrome.exe 2228 Chrome.exe 2420 Chrome.exe 2040 Chrome.exe 1156 Chrome.exe 1736 Chrome.exe 2592 Chrome.exe 2172 Chrome.exe 1112 Chrome.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 Setup.exe 2924 Setup.exe 2148 Setup.exe 2148 Setup.exe 2036 Setup.exe 2036 Setup.exe 2660 Setup.exe 2660 Setup.exe 2476 Setup.exe 2476 Setup.exe 2876 Setup.exe 2604 Chrome.exe 2876 Setup.exe 2928 Chrome.exe 2844 Chrome.exe 2984 Chrome.exe 2676 Chrome.exe 2488 Chrome.exe 2768 Setup.exe 2768 Setup.exe 2908 Chrome.exe 2816 Setup.exe 2816 Setup.exe 2892 Chrome.exe 3060 Setup.exe 3060 Setup.exe 472 Chrome.exe 280 Setup.exe 280 Setup.exe 412 Chrome.exe 2960 Setup.exe 2960 Setup.exe 992 Chrome.exe 1168 Setup.exe 1168 Setup.exe 892 Chrome.exe 920 Setup.exe 920 Setup.exe 2288 Chrome.exe 2420 Setup.exe 2420 Setup.exe 2244 Chrome.exe 1156 Setup.exe 1156 Setup.exe 1712 Chrome.exe 2552 Setup.exe 2552 Setup.exe 2616 Chrome.exe 2688 Setup.exe 2688 Setup.exe 2464 Chrome.exe 2640 Setup.exe 2640 Setup.exe 2768 Chrome.exe 2712 Setup.exe 2712 Setup.exe 2624 Chrome.exe 2584 Setup.exe 2584 Setup.exe 2588 Chrome.exe 2652 Setup.exe 2652 Setup.exe 3040 Chrome.exe 2444 Setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" Chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chrome.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2604 set thread context of 2532 2604 Chrome.exe 40 PID 2984 set thread context of 2136 2984 Chrome.exe 44 PID 2928 set thread context of 3024 2928 Chrome.exe 41 PID 2844 set thread context of 2108 2844 Chrome.exe 43 PID 2676 set thread context of 3028 2676 Chrome.exe 42 PID 2488 set thread context of 2832 2488 Chrome.exe 46 PID 2908 set thread context of 2808 2908 Chrome.exe 48 PID 2892 set thread context of 1656 2892 Chrome.exe 53 PID 472 set thread context of 1492 472 Chrome.exe 57 PID 412 set thread context of 2168 412 Chrome.exe 61 PID 992 set thread context of 292 992 Chrome.exe 64 PID 892 set thread context of 644 892 Chrome.exe 67 PID 2288 set thread context of 1732 2288 Chrome.exe 70 PID 2244 set thread context of 1596 2244 Chrome.exe 73 PID 1712 set thread context of 2068 1712 Chrome.exe 76 PID 2616 set thread context of 2788 2616 Chrome.exe 79 PID 2464 set thread context of 1164 2464 Chrome.exe 82 PID 2768 set thread context of 2752 2768 Chrome.exe 85 PID 2624 set thread context of 952 2624 Chrome.exe 88 PID 2588 set thread context of 2512 2588 Chrome.exe 91 PID 3040 set thread context of 1332 3040 Chrome.exe 94 PID 1800 set thread context of 2736 1800 Chrome.exe 97 PID 1204 set thread context of 716 1204 Chrome.exe 100 PID 1976 set thread context of 1668 1976 Chrome.exe 103 PID 1448 set thread context of 1080 1448 Chrome.exe 106 PID 472 set thread context of 1704 472 Chrome.exe 109 PID 1168 set thread context of 2160 1168 Chrome.exe 112 PID 892 set thread context of 2096 892 Chrome.exe 115 PID 2228 set thread context of 2420 2228 Chrome.exe 118 PID 2040 set thread context of 1156 2040 Chrome.exe 121 PID 1736 set thread context of 2592 1736 Chrome.exe 124 PID 2172 set thread context of 1112 2172 Chrome.exe 127 PID 2728 set thread context of 3008 2728 Chrome.exe 130 PID 2828 set thread context of 2772 2828 Chrome.exe 133 PID 2604 set thread context of 2488 2604 Chrome.exe 136 PID 2340 set thread context of 2720 2340 Chrome.exe 139 PID 1924 set thread context of 2052 1924 Chrome.exe 142 PID 668 set thread context of 1476 668 Chrome.exe 145 PID 2220 set thread context of 1172 2220 Chrome.exe 148 PID 2024 set thread context of 1680 2024 Chrome.exe 151 PID 1752 set thread context of 900 1752 Chrome.exe 154 PID 2792 set thread context of 1764 2792 Chrome.exe 157 PID 2516 set thread context of 2992 2516 Chrome.exe 160 PID 2500 set thread context of 2632 2500 Chrome.exe 163 PID 2928 set thread context of 2272 2928 Chrome.exe 166 PID 1128 set thread context of 1452 1128 Chrome.exe 169 PID 1844 set thread context of 2184 1844 Chrome.exe 172 PID 556 set thread context of 2380 556 Chrome.exe 175 PID 1772 set thread context of 652 1772 Chrome.exe 178 PID 572 set thread context of 2576 572 Chrome.exe 181 PID 1912 set thread context of 2036 1912 Chrome.exe 184 PID 1736 set thread context of 2756 1736 Chrome.exe 187 PID 2796 set thread context of 2784 2796 Chrome.exe 190 PID 2556 set thread context of 2768 2556 Chrome.exe 193 PID 1164 set thread context of 580 1164 Chrome.exe 196 PID 1744 set thread context of 2256 1744 Chrome.exe 199 PID 1852 set thread context of 1044 1852 Chrome.exe 202 PID 1168 set thread context of 1772 1168 Chrome.exe 205 PID 2808 set thread context of 1676 2808 Chrome.exe 208 PID 816 set thread context of 2840 816 Chrome.exe 211 PID 1160 set thread context of 972 1160 Chrome.exe 214 PID 1636 set thread context of 2932 1636 Chrome.exe 217 PID 596 set thread context of 1708 596 Chrome.exe 220 PID 844 set thread context of 2580 844 Chrome.exe 223 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\TCP Service\tcpsv.exe Chrome.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 888 schtasks.exe 1820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe 2832 Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2832 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2676 Chrome.exe Token: SeDebugPrivilege 2984 Chrome.exe Token: SeDebugPrivilege 2844 Chrome.exe Token: SeDebugPrivilege 2928 Chrome.exe Token: SeDebugPrivilege 2604 Chrome.exe Token: SeDebugPrivilege 2488 Chrome.exe Token: SeDebugPrivilege 2908 Chrome.exe Token: SeDebugPrivilege 2892 Chrome.exe Token: SeDebugPrivilege 472 Chrome.exe Token: SeDebugPrivilege 412 Chrome.exe Token: SeDebugPrivilege 992 Chrome.exe Token: SeDebugPrivilege 2832 Chrome.exe Token: SeDebugPrivilege 892 Chrome.exe Token: SeDebugPrivilege 2288 Chrome.exe Token: SeDebugPrivilege 2244 Chrome.exe Token: SeDebugPrivilege 1712 Chrome.exe Token: SeDebugPrivilege 2616 Chrome.exe Token: SeDebugPrivilege 2464 Chrome.exe Token: SeDebugPrivilege 2768 Chrome.exe Token: SeDebugPrivilege 2624 Chrome.exe Token: SeDebugPrivilege 2588 Chrome.exe Token: SeDebugPrivilege 3040 Chrome.exe Token: SeDebugPrivilege 1800 Chrome.exe Token: SeDebugPrivilege 1204 Chrome.exe Token: SeDebugPrivilege 1976 Chrome.exe Token: SeDebugPrivilege 1448 Chrome.exe Token: SeDebugPrivilege 472 Chrome.exe Token: SeDebugPrivilege 1168 Chrome.exe Token: SeDebugPrivilege 892 Chrome.exe Token: SeDebugPrivilege 2228 Chrome.exe Token: SeDebugPrivilege 2040 Chrome.exe Token: SeDebugPrivilege 1736 Chrome.exe Token: SeDebugPrivilege 2172 Chrome.exe Token: SeDebugPrivilege 2728 Chrome.exe Token: SeDebugPrivilege 2828 Chrome.exe Token: SeDebugPrivilege 2604 Chrome.exe Token: SeDebugPrivilege 2340 Chrome.exe Token: SeDebugPrivilege 1924 Chrome.exe Token: SeDebugPrivilege 668 Chrome.exe Token: SeDebugPrivilege 2220 Chrome.exe Token: SeDebugPrivilege 2024 Chrome.exe Token: SeDebugPrivilege 1752 Chrome.exe Token: SeDebugPrivilege 2792 Chrome.exe Token: SeDebugPrivilege 2516 Chrome.exe Token: SeDebugPrivilege 2500 Chrome.exe Token: SeDebugPrivilege 2928 Chrome.exe Token: SeDebugPrivilege 1128 Chrome.exe Token: SeDebugPrivilege 1844 Chrome.exe Token: SeDebugPrivilege 556 Chrome.exe Token: SeDebugPrivilege 1772 Chrome.exe Token: SeDebugPrivilege 572 Chrome.exe Token: SeDebugPrivilege 1912 Chrome.exe Token: SeDebugPrivilege 1736 Chrome.exe Token: SeDebugPrivilege 2796 Chrome.exe Token: SeDebugPrivilege 2556 Chrome.exe Token: SeDebugPrivilege 1164 Chrome.exe Token: SeDebugPrivilege 1744 Chrome.exe Token: SeDebugPrivilege 1852 Chrome.exe Token: SeDebugPrivilege 1168 Chrome.exe Token: SeDebugPrivilege 2808 Chrome.exe Token: SeDebugPrivilege 816 Chrome.exe Token: SeDebugPrivilege 1160 Chrome.exe Token: SeDebugPrivilege 1636 Chrome.exe Token: SeDebugPrivilege 596 Chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2148 2924 Setup.exe 28 PID 2924 wrote to memory of 2984 2924 Setup.exe 29 PID 2924 wrote to memory of 2984 2924 Setup.exe 29 PID 2924 wrote to memory of 2984 2924 Setup.exe 29 PID 2924 wrote to memory of 2984 2924 Setup.exe 29 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2036 2148 Setup.exe 30 PID 2148 wrote to memory of 2844 2148 Setup.exe 31 PID 2148 wrote to memory of 2844 2148 Setup.exe 31 PID 2148 wrote to memory of 2844 2148 Setup.exe 31 PID 2148 wrote to memory of 2844 2148 Setup.exe 31 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2660 2036 Setup.exe 32 PID 2036 wrote to memory of 2676 2036 Setup.exe 33 PID 2036 wrote to memory of 2676 2036 Setup.exe 33 PID 2036 wrote to memory of 2676 2036 Setup.exe 33 PID 2036 wrote to memory of 2676 2036 Setup.exe 33 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2476 2660 Setup.exe 34 PID 2660 wrote to memory of 2928 2660 Setup.exe 35 PID 2660 wrote to memory of 2928 2660 Setup.exe 35 PID 2660 wrote to memory of 2928 2660 Setup.exe 35 PID 2660 wrote to memory of 2928 2660 Setup.exe 35 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2876 2476 Setup.exe 36 PID 2476 wrote to memory of 2604 2476 Setup.exe 37 PID 2476 wrote to memory of 2604 2476 Setup.exe 37 PID 2476 wrote to memory of 2604 2476 Setup.exe 37 PID 2476 wrote to memory of 2604 2476 Setup.exe 37 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2768 2876 Setup.exe 84 PID 2876 wrote to memory of 2488 2876 Setup.exe 39 PID 2876 wrote to memory of 2488 2876 Setup.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"7⤵
- Loads dropped DLL
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"8⤵
- Loads dropped DLL
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"9⤵
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"10⤵
- Loads dropped DLL
PID:280 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"11⤵
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"12⤵
- Loads dropped DLL
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"13⤵
- Loads dropped DLL
PID:920 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"14⤵
- Loads dropped DLL
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"15⤵
- Loads dropped DLL
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"16⤵
- Loads dropped DLL
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"17⤵
- Loads dropped DLL
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"18⤵
- Loads dropped DLL
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"19⤵
- Loads dropped DLL
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"20⤵
- Loads dropped DLL
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"21⤵
- Loads dropped DLL
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"22⤵
- Loads dropped DLL
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"23⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"24⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"25⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"26⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"27⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"28⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"29⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"30⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"31⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"32⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"33⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"34⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"35⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"36⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"37⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"38⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"39⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"40⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"41⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"42⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"43⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"44⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"45⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"46⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"47⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"48⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"49⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"50⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"51⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"52⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"53⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"54⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"55⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"56⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"57⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"58⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"59⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"60⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"61⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"62⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"63⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"64⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"65⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"66⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"67⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"68⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"69⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"70⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"71⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"72⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"73⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"74⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"75⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"76⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"77⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"78⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"79⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"80⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"81⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"82⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"83⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"84⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"85⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"86⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"87⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"88⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"89⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"90⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"91⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"92⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"93⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"94⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"95⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"96⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"97⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"98⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"99⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"100⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"101⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"102⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"103⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"104⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"105⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"106⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"107⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"108⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"109⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"110⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"111⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"112⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"113⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"114⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"115⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"116⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"117⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"118⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"119⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"120⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-