Overview
overview
10Static
static
3Setup.exe
windows7-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
10Setup.exe
windows11-21h2-x64
Chrome.exe
windows10-2004-x64
10Chrome.exe
windows7-x64
10Chrome.exe
windows10-1703-x64
10Chrome.exe
windows10-2004-x64
10Chrome.exe
windows11-21h2-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows7-x64
3Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows11-21h2-x64
3Analysis
-
max time kernel
851s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 15:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win7-20231129-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
13 signatures
1800 seconds
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win11-20240419-en
windows11-21h2-x64
13 signatures
1800 seconds
Behavioral task
behavioral6
Sample
Chrome.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral7
Sample
Chrome.exe
Resource
win7-20240419-en
windows7-x64
10 signatures
1800 seconds
Behavioral task
behavioral8
Sample
Chrome.exe
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
1800 seconds
Behavioral task
behavioral9
Sample
Chrome.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral10
Sample
Chrome.exe
Resource
win11-20240419-en
windows11-21h2-x64
10 signatures
1800 seconds
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral13
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
9 signatures
1800 seconds
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral15
Sample
Setup.exe
Resource
win11-20240412-en
windows11-21h2-x64
1 signatures
1800 seconds
General
-
Target
Setup.exe
-
Size
22.5MB
-
MD5
a4e313952f14d899867d53c80335dce3
-
SHA1
7703d0a9725dea829dd023d9575322ccae81319c
-
SHA256
9e60d8f8d14a520f023015e9b7e1254756a0bbebe294707cd705f5262b2e07b5
-
SHA512
018a2cc0841fd568d2fe3ade35f708dcb06d9ce148a3c085ccdcb70ab51999f7167b57f5c45c665758cfc72371a5bac002425241d3d89639382fc706a325059e
-
SSDEEP
393216:7qwr6Kwzs3OQs5rmJdW96tBbcQR+yu/tKWao+L37GcrKCUcrfuqIC:7qwFwzs+Q6ridk+hcQR+yusk+LLxrKCv
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
haxorbaba.duckdns.org:1604
Mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
Attributes
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation Setup.exe -
Executes dropped EXE 64 IoCs
pid Process 3608 Chrome.exe 2736 Chrome.exe 3484 Chrome.exe 1620 Chrome.exe 1736 Chrome.exe 2316 Chrome.exe 4460 Chrome.exe 816 Chrome.exe 3604 Chrome.exe 4436 Chrome.exe 1072 Chrome.exe 3768 Chrome.exe 1280 Chrome.exe 1816 Chrome.exe 4416 Chrome.exe 4524 Chrome.exe 1640 Chrome.exe 3536 Chrome.exe 4080 Chrome.exe 456 Chrome.exe 4692 Chrome.exe 1760 Chrome.exe 4856 Chrome.exe 4936 Chrome.exe 4484 Chrome.exe 4584 Chrome.exe 3632 Chrome.exe 3348 Chrome.exe 3824 Chrome.exe 3188 Chrome.exe 5112 Chrome.exe 2828 Chrome.exe 4368 Chrome.exe 2284 Chrome.exe 2152 Chrome.exe 392 Chrome.exe 4084 Chrome.exe 1280 Chrome.exe 540 Chrome.exe 4164 Chrome.exe 4176 Chrome.exe 3228 Chrome.exe 2780 Chrome.exe 2228 Chrome.exe 2356 Chrome.exe 1524 Chrome.exe 4316 Chrome.exe 3608 Chrome.exe 2776 Chrome.exe 3332 Chrome.exe 2328 Chrome.exe 1196 Chrome.exe 4552 Chrome.exe 4224 Chrome.exe 520 Chrome.exe 4184 Chrome.exe 4372 Chrome.exe 4724 Chrome.exe 4080 Chrome.exe 1488 Chrome.exe 2196 Chrome.exe 376 Chrome.exe 636 Chrome.exe 2852 Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasvc.exe" Chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chrome.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2736 set thread context of 3484 2736 Chrome.exe 90 PID 3608 set thread context of 1620 3608 Chrome.exe 89 PID 1736 set thread context of 2316 1736 Chrome.exe 93 PID 4460 set thread context of 816 4460 Chrome.exe 101 PID 3604 set thread context of 4436 3604 Chrome.exe 104 PID 1072 set thread context of 3768 1072 Chrome.exe 107 PID 1280 set thread context of 1816 1280 Chrome.exe 110 PID 4416 set thread context of 4524 4416 Chrome.exe 113 PID 1640 set thread context of 3536 1640 Chrome.exe 117 PID 4080 set thread context of 456 4080 Chrome.exe 120 PID 4692 set thread context of 1760 4692 Chrome.exe 123 PID 4856 set thread context of 4936 4856 Chrome.exe 126 PID 4484 set thread context of 4584 4484 Chrome.exe 129 PID 3632 set thread context of 3348 3632 Chrome.exe 134 PID 3824 set thread context of 3188 3824 Chrome.exe 138 PID 5112 set thread context of 2828 5112 Chrome.exe 141 PID 4368 set thread context of 2284 4368 Chrome.exe 146 PID 2152 set thread context of 392 2152 Chrome.exe 240 PID 4084 set thread context of 1280 4084 Chrome.exe 244 PID 540 set thread context of 4164 540 Chrome.exe 155 PID 4176 set thread context of 3228 4176 Chrome.exe 160 PID 2780 set thread context of 2228 2780 Chrome.exe 163 PID 2356 set thread context of 1524 2356 Chrome.exe 166 PID 4316 set thread context of 3608 4316 Chrome.exe 169 PID 2776 set thread context of 3332 2776 Chrome.exe 172 PID 2328 set thread context of 1196 2328 Chrome.exe 177 PID 4552 set thread context of 4224 4552 Chrome.exe 272 PID 520 set thread context of 4184 520 Chrome.exe 185 PID 4372 set thread context of 4724 4372 Chrome.exe 188 PID 4080 set thread context of 1488 4080 Chrome.exe 314 PID 2196 set thread context of 376 2196 Chrome.exe 194 PID 636 set thread context of 2852 636 Chrome.exe 197 PID 2716 set thread context of 5036 2716 Chrome.exe 200 PID 2344 set thread context of 5112 2344 Chrome.exe 205 PID 5092 set thread context of 4368 5092 Chrome.exe 208 PID 892 set thread context of 1980 892 Chrome.exe 213 PID 3464 set thread context of 3312 3464 Chrome.exe 218 PID 2352 set thread context of 1968 2352 Chrome.exe 221 PID 4056 set thread context of 2528 4056 Chrome.exe 226 PID 680 set thread context of 4456 680 Chrome.exe 413 PID 3104 set thread context of 972 3104 Chrome.exe 232 PID 3784 set thread context of 1736 3784 Chrome.exe 319 PID 1032 set thread context of 392 1032 Chrome.exe 240 PID 4264 set thread context of 1440 4264 Chrome.exe 243 PID 4348 set thread context of 2044 4348 Chrome.exe 246 PID 1312 set thread context of 3556 1312 Chrome.exe 249 PID 1760 set thread context of 3764 1760 Chrome.exe 388 PID 1272 set thread context of 4176 1272 Chrome.exe 255 PID 4080 set thread context of 3188 4080 Chrome.exe 469 PID 2968 set thread context of 2132 2968 Chrome.exe 263 PID 2308 set thread context of 1572 2308 Chrome.exe 266 PID 332 set thread context of 2028 332 Chrome.exe 269 PID 4500 set thread context of 4224 4500 Chrome.exe 272 PID 1080 set thread context of 5084 1080 Chrome.exe 358 PID 2388 set thread context of 1012 2388 Chrome.exe 586 PID 2684 set thread context of 4696 2684 Chrome.exe 283 PID 548 set thread context of 3532 548 Chrome.exe 286 PID 3540 set thread context of 4040 3540 Chrome.exe 291 PID 4692 set thread context of 4104 4692 Chrome.exe 294 PID 3328 set thread context of 5080 3328 Chrome.exe 297 PID 2440 set thread context of 2932 2440 Chrome.exe 300 PID 452 set thread context of 4308 452 Chrome.exe 303 PID 1132 set thread context of 4088 1132 Chrome.exe 306 PID 2200 set thread context of 3128 2200 Chrome.exe 311 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\WPA Service\wpasvc.exe Chrome.exe File created C:\Program Files (x86)\WPA Service\wpasvc.exe Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 624 4584 WerFault.exe 129 4308 2828 WerFault.exe 141 4004 4164 WerFault.exe 155 916 3332 WerFault.exe 172 2844 1196 WerFault.exe 177 404 5036 WerFault.exe 200 2964 4368 WerFault.exe 208 4452 1980 WerFault.exe 213 1420 1968 WerFault.exe 221 2740 972 WerFault.exe 232 372 4176 WerFault.exe 255 3368 4224 WerFault.exe 272 2160 3532 WerFault.exe 286 2732 4088 WerFault.exe 306 2020 3644 WerFault.exe 338 4780 4536 WerFault.exe 346 3184 532 WerFault.exe 379 3460 1720 WerFault.exe 394 4244 548 WerFault.exe 418 4244 3276 WerFault.exe 436 3352 1640 WerFault.exe 456 1740 3876 WerFault.exe 497 4296 2808 WerFault.exe 517 3016 600 WerFault.exe 540 3104 3556 WerFault.exe 557 4396 2964 WerFault.exe 562 4972 1980 WerFault.exe 582 4340 3036 WerFault.exe 632 2028 4956 WerFault.exe 655 3824 4652 WerFault.exe 666 4900 3252 WerFault.exe 677 3648 2404 WerFault.exe 700 4120 1632 WerFault.exe 720 5036 680 WerFault.exe 725 1312 4296 WerFault.exe 730 3616 4656 WerFault.exe 789 3760 4936 WerFault.exe 794 1760 1692 WerFault.exe 799 4408 1928 WerFault.exe 816 3672 3532 WerFault.exe 824 2076 4140 WerFault.exe 832 5028 1248 WerFault.exe 843 3612 4340 WerFault.exe 878 4500 3548 WerFault.exe 889 2688 2392 WerFault.exe 894 2724 1084 WerFault.exe 914 1948 3724 WerFault.exe 928 4784 376 WerFault.exe 933 2360 1644 WerFault.exe 944 5048 1484 WerFault.exe 964 2064 1280 WerFault.exe 978 3920 2052 WerFault.exe 983 312 4492 WerFault.exe 1006 428 332 WerFault.exe 1011 2628 1816 WerFault.exe 1025 1932 4044 WerFault.exe 1030 1660 1500 WerFault.exe 1053 4176 3972 WerFault.exe 1073 400 1660 WerFault.exe 1081 452 4224 WerFault.exe 1086 3536 4588 WerFault.exe 1091 3520 3068 WerFault.exe 1105 764 3736 Process not Found 1119 1708 4312 Process not Found 1145 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1252 schtasks.exe 3316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe 1620 Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1620 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3608 Chrome.exe Token: SeDebugPrivilege 2736 Chrome.exe Token: SeDebugPrivilege 1736 Chrome.exe Token: SeDebugPrivilege 4460 Chrome.exe Token: SeDebugPrivilege 3604 Chrome.exe Token: SeDebugPrivilege 1620 Chrome.exe Token: SeDebugPrivilege 1072 Chrome.exe Token: SeDebugPrivilege 1280 Chrome.exe Token: SeDebugPrivilege 4416 Chrome.exe Token: SeDebugPrivilege 1640 Chrome.exe Token: SeDebugPrivilege 4080 Chrome.exe Token: SeDebugPrivilege 4692 Chrome.exe Token: SeDebugPrivilege 4856 Chrome.exe Token: SeDebugPrivilege 4484 Chrome.exe Token: SeDebugPrivilege 3632 Chrome.exe Token: SeDebugPrivilege 3824 Chrome.exe Token: SeDebugPrivilege 5112 Chrome.exe Token: SeDebugPrivilege 4368 Chrome.exe Token: SeDebugPrivilege 2152 Chrome.exe Token: SeDebugPrivilege 4084 Chrome.exe Token: SeDebugPrivilege 540 Chrome.exe Token: SeDebugPrivilege 4176 Chrome.exe Token: SeDebugPrivilege 2780 Chrome.exe Token: SeDebugPrivilege 2356 Chrome.exe Token: SeDebugPrivilege 4316 Chrome.exe Token: SeDebugPrivilege 2776 Chrome.exe Token: SeDebugPrivilege 2328 Chrome.exe Token: SeDebugPrivilege 4552 Chrome.exe Token: SeDebugPrivilege 520 Chrome.exe Token: SeDebugPrivilege 4372 Chrome.exe Token: SeDebugPrivilege 4080 Chrome.exe Token: SeDebugPrivilege 2196 Chrome.exe Token: SeDebugPrivilege 636 Chrome.exe Token: SeDebugPrivilege 2716 Chrome.exe Token: SeDebugPrivilege 2344 Chrome.exe Token: SeDebugPrivilege 5092 Chrome.exe Token: SeDebugPrivilege 892 Chrome.exe Token: SeDebugPrivilege 3464 Chrome.exe Token: SeDebugPrivilege 2352 Chrome.exe Token: SeDebugPrivilege 4056 Chrome.exe Token: SeDebugPrivilege 680 Chrome.exe Token: SeDebugPrivilege 3104 Chrome.exe Token: SeDebugPrivilege 3784 Chrome.exe Token: SeDebugPrivilege 1032 Chrome.exe Token: SeDebugPrivilege 4264 Chrome.exe Token: SeDebugPrivilege 4348 Chrome.exe Token: SeDebugPrivilege 1312 Chrome.exe Token: SeDebugPrivilege 1760 Chrome.exe Token: SeDebugPrivilege 1272 Chrome.exe Token: SeDebugPrivilege 4080 Chrome.exe Token: SeDebugPrivilege 2968 Chrome.exe Token: SeDebugPrivilege 2308 Chrome.exe Token: SeDebugPrivilege 332 Chrome.exe Token: SeDebugPrivilege 4500 Chrome.exe Token: SeDebugPrivilege 1080 Chrome.exe Token: SeDebugPrivilege 2388 Chrome.exe Token: SeDebugPrivilege 2684 Chrome.exe Token: SeDebugPrivilege 548 Chrome.exe Token: SeDebugPrivilege 3540 Chrome.exe Token: SeDebugPrivilege 4692 Chrome.exe Token: SeDebugPrivilege 3328 Chrome.exe Token: SeDebugPrivilege 2440 Chrome.exe Token: SeDebugPrivilege 452 Chrome.exe Token: SeDebugPrivilege 1132 Chrome.exe -
Suspicious use of UnmapMainImage 64 IoCs
pid Process 3332 Chrome.exe 4224 Chrome.exe 532 Chrome.exe 1640 Chrome.exe 1248 Chrome.exe 3724 Chrome.exe 4044 Chrome.exe 3736 Process not Found 2528 Process not Found 2456 Process not Found 812 Process not Found 1588 Process not Found 4392 Process not Found 224 Process not Found 4552 Process not Found 2872 Process not Found 2720 Process not Found 2852 Process not Found 2312 Process not Found 4380 Process not Found 2020 Process not Found 1736 Process not Found 1508 Process not Found 2180 Process not Found 1412 Process not Found 1320 Process not Found 3976 Process not Found 2712 Process not Found 4208 Process not Found 1316 Process not Found 4656 Process not Found 4136 Process not Found 4676 Process not Found 4676 Process not Found 4648 Process not Found 3824 Process not Found 3772 Process not Found 3716 Process not Found 3220 Process not Found 2196 Process not Found 2200 Process not Found 2132 Process not Found 2904 Process not Found 4052 Process not Found 3332 Process not Found 2044 Process not Found 764 Process not Found 1172 Process not Found 5072 Process not Found 1280 Process not Found 3484 Process not Found 1320 Process not Found 1740 Process not Found 4808 Process not Found 3856 Process not Found 1736 Process not Found 4292 Process not Found 3276 Process not Found 4084 Process not Found 1980 Process not Found 4464 Process not Found 3828 Process not Found 4792 Process not Found 2380 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3968 5076 Setup.exe 85 PID 5076 wrote to memory of 3968 5076 Setup.exe 85 PID 5076 wrote to memory of 3968 5076 Setup.exe 85 PID 5076 wrote to memory of 3608 5076 Setup.exe 86 PID 5076 wrote to memory of 3608 5076 Setup.exe 86 PID 5076 wrote to memory of 3608 5076 Setup.exe 86 PID 3968 wrote to memory of 3824 3968 Setup.exe 87 PID 3968 wrote to memory of 3824 3968 Setup.exe 87 PID 3968 wrote to memory of 3824 3968 Setup.exe 87 PID 3968 wrote to memory of 2736 3968 Setup.exe 88 PID 3968 wrote to memory of 2736 3968 Setup.exe 88 PID 3968 wrote to memory of 2736 3968 Setup.exe 88 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 3608 wrote to memory of 1620 3608 Chrome.exe 89 PID 2736 wrote to memory of 3484 2736 Chrome.exe 90 PID 3824 wrote to memory of 2116 3824 Setup.exe 91 PID 3824 wrote to memory of 2116 3824 Setup.exe 91 PID 3824 wrote to memory of 2116 3824 Setup.exe 91 PID 3824 wrote to memory of 1736 3824 Setup.exe 92 PID 3824 wrote to memory of 1736 3824 Setup.exe 92 PID 3824 wrote to memory of 1736 3824 Setup.exe 92 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1736 wrote to memory of 2316 1736 Chrome.exe 93 PID 1620 wrote to memory of 1252 1620 Chrome.exe 94 PID 1620 wrote to memory of 1252 1620 Chrome.exe 94 PID 1620 wrote to memory of 1252 1620 Chrome.exe 94 PID 2116 wrote to memory of 5084 2116 Setup.exe 97 PID 2116 wrote to memory of 5084 2116 Setup.exe 97 PID 2116 wrote to memory of 5084 2116 Setup.exe 97 PID 2116 wrote to memory of 4460 2116 Setup.exe 98 PID 2116 wrote to memory of 4460 2116 Setup.exe 98 PID 2116 wrote to memory of 4460 2116 Setup.exe 98 PID 1620 wrote to memory of 3316 1620 Chrome.exe 99 PID 1620 wrote to memory of 3316 1620 Chrome.exe 99 PID 1620 wrote to memory of 3316 1620 Chrome.exe 99 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 4460 wrote to memory of 816 4460 Chrome.exe 101 PID 5084 wrote to memory of 4904 5084 Setup.exe 102 PID 5084 wrote to memory of 4904 5084 Setup.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"6⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"7⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"8⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"9⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"10⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"11⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"12⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"13⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"14⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"15⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"16⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"17⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"18⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"19⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"20⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"21⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"22⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"23⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"24⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"25⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"26⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"27⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"28⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"29⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"30⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"31⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"32⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"33⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"34⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"35⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"36⤵
- Checks computer location settings
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"37⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"38⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"39⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"40⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"41⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"42⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"43⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"44⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"45⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"46⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"47⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"48⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"49⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"50⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"51⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"52⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"53⤵
- Checks computer location settings
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"54⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"55⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"56⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"57⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"58⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"59⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"60⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"61⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"62⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"63⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"64⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"65⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"66⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"67⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"68⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"69⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"70⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"71⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"72⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"73⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"74⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"75⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"76⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"77⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"78⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"79⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"80⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"81⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"82⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"83⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"84⤵
- Checks computer location settings
PID:408 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"85⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"86⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"87⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"88⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"89⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"90⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"91⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"92⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"93⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"94⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"95⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"96⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"97⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"98⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"99⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"100⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"101⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"102⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"103⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"104⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"105⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"106⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"107⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"108⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"109⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"110⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"111⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"112⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"113⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"114⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"115⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"116⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"117⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"118⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"119⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"120⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"121⤵PID:2248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-