Overview
overview
10Static
static
3Setup.exe
windows7-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
10Setup.exe
windows11-21h2-x64
Chrome.exe
windows10-2004-x64
10Chrome.exe
windows7-x64
10Chrome.exe
windows10-1703-x64
10Chrome.exe
windows10-2004-x64
10Chrome.exe
windows11-21h2-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows7-x64
3Setup.exe
windows10-1703-x64
10Setup.exe
windows10-2004-x64
3Setup.exe
windows11-21h2-x64
3Analysis
-
max time kernel
42s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-04-2024 15:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win7-20231129-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
13 signatures
1800 seconds
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win11-20240419-en
windows11-21h2-x64
13 signatures
1800 seconds
Behavioral task
behavioral6
Sample
Chrome.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral7
Sample
Chrome.exe
Resource
win7-20240419-en
windows7-x64
10 signatures
1800 seconds
Behavioral task
behavioral8
Sample
Chrome.exe
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
1800 seconds
Behavioral task
behavioral9
Sample
Chrome.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
1800 seconds
Behavioral task
behavioral10
Sample
Chrome.exe
Resource
win11-20240419-en
windows11-21h2-x64
10 signatures
1800 seconds
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win7-20240215-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral13
Sample
Setup.exe
Resource
win10-20240404-en
windows10-1703-x64
9 signatures
1800 seconds
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral15
Sample
Setup.exe
Resource
win11-20240412-en
windows11-21h2-x64
1 signatures
1800 seconds
Errors
Reason
Machine shutdown
General
-
Target
Setup.exe
-
Size
22.5MB
-
MD5
a4e313952f14d899867d53c80335dce3
-
SHA1
7703d0a9725dea829dd023d9575322ccae81319c
-
SHA256
9e60d8f8d14a520f023015e9b7e1254756a0bbebe294707cd705f5262b2e07b5
-
SHA512
018a2cc0841fd568d2fe3ade35f708dcb06d9ce148a3c085ccdcb70ab51999f7167b57f5c45c665758cfc72371a5bac002425241d3d89639382fc706a325059e
-
SSDEEP
393216:7qwr6Kwzs3OQs5rmJdW96tBbcQR+yu/tKWao+L37GcrKCUcrfuqIC:7qwFwzs+Q6ridk+hcQR+yusk+LLxrKCv
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
haxorbaba.duckdns.org:1604
Mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
Attributes
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2228 Chrome.exe 1500 Chrome.exe 3628 Chrome.exe 4528 Chrome.exe 4092 Chrome.exe 3288 Chrome.exe 3936 Chrome.exe 1460 Chrome.exe 3764 Chrome.exe 3128 Chrome.exe 2332 Chrome.exe 1596 Chrome.exe 776 Chrome.exe 2340 Chrome.exe 1976 Chrome.exe 1608 Chrome.exe 4244 Chrome.exe 352 Chrome.exe 3788 Chrome.exe 1444 Chrome.exe 1204 Chrome.exe 3976 Chrome.exe 2432 Chrome.exe 4860 Chrome.exe 2492 Chrome.exe 3152 Chrome.exe 3692 Chrome.exe 2152 Chrome.exe 2860 Chrome.exe 1316 Chrome.exe 4288 Chrome.exe 3776 Chrome.exe 2096 Chrome.exe 3856 Chrome.exe 5060 Chrome.exe 3764 Chrome.exe 1676 Chrome.exe 1088 Chrome.exe 4292 Chrome.exe 4672 Chrome.exe 2852 Chrome.exe 800 Chrome.exe 4868 Chrome.exe 1440 Chrome.exe 1164 Chrome.exe 5016 Chrome.exe 2112 Chrome.exe 2832 Chrome.exe 4796 Chrome.exe 3920 Chrome.exe 4900 Chrome.exe 3704 Chrome.exe 1668 Chrome.exe 3148 Chrome.exe 3872 Chrome.exe 3284 Chrome.exe 1456 Chrome.exe 1676 Chrome.exe 452 Chrome.exe 3680 Chrome.exe 1220 Chrome.exe 1104 Chrome.exe 4536 Chrome.exe 2240 Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" Chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chrome.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2228 set thread context of 1500 2228 Chrome.exe 82 PID 3628 set thread context of 4528 3628 Chrome.exe 87 PID 4092 set thread context of 3288 4092 Chrome.exe 93 PID 3936 set thread context of 1460 3936 Chrome.exe 98 PID 3764 set thread context of 3128 3764 Chrome.exe 101 PID 2332 set thread context of 1596 2332 Chrome.exe 106 PID 776 set thread context of 2340 776 Chrome.exe 109 PID 1976 set thread context of 1608 1976 Chrome.exe 114 PID 4244 set thread context of 352 4244 Chrome.exe 219 PID 3788 set thread context of 1444 3788 Chrome.exe 122 PID 1204 set thread context of 3976 1204 Chrome.exe 127 PID 2432 set thread context of 4860 2432 Chrome.exe 130 PID 2492 set thread context of 3152 2492 Chrome.exe 133 PID 3692 set thread context of 2152 3692 Chrome.exe 136 PID 2860 set thread context of 1316 2860 Chrome.exe 139 PID 4288 set thread context of 3776 4288 Chrome.exe 270 PID 2096 set thread context of 3856 2096 Chrome.exe 355 PID 5060 set thread context of 3764 5060 Chrome.exe 150 PID 1676 set thread context of 1088 1676 Chrome.exe 153 PID 4292 set thread context of 4672 4292 Chrome.exe 156 PID 2852 set thread context of 800 2852 Chrome.exe 160 PID 4868 set thread context of 1440 4868 Chrome.exe 163 PID 1164 set thread context of 5016 1164 Chrome.exe 299 PID 2112 set thread context of 2832 2112 Chrome.exe 169 PID 4796 set thread context of 3920 4796 Chrome.exe 172 PID 4900 set thread context of 3704 4900 Chrome.exe 175 PID 1668 set thread context of 3148 1668 Chrome.exe 180 PID 3872 set thread context of 3284 3872 Chrome.exe 183 PID 1456 set thread context of 1676 1456 Chrome.exe 380 PID 452 set thread context of 3680 452 Chrome.exe 189 PID 1220 set thread context of 1104 1220 Chrome.exe 392 PID 4536 set thread context of 2240 4536 Chrome.exe 197 PID 4444 set thread context of 2012 4444 Chrome.exe 490 PID 8 set thread context of 3692 8 Chrome.exe 344 PID 3968 set thread context of 2100 3968 Chrome.exe 206 PID 4256 set thread context of 1596 4256 Chrome.exe 211 PID 4832 set thread context of 4300 4832 Chrome.exe 514 PID 5028 set thread context of 352 5028 Chrome.exe 620 PID 452 set thread context of 3056 452 Chrome.exe 222 PID 4884 set thread context of 3340 4884 Chrome.exe 637 PID 4584 set thread context of 1072 4584 Chrome.exe 228 PID 3084 set thread context of 4940 3084 Chrome.exe 363 PID 4896 set thread context of 4624 4896 Chrome.exe 470 PID 1792 set thread context of 3052 1792 Chrome.exe 239 PID 4200 set thread context of 3872 4200 Chrome.exe 526 PID 2260 set thread context of 2512 2260 Chrome.exe 452 PID 3908 set thread context of 3532 3908 Chrome.exe 248 PID 4536 set thread context of 2804 4536 Chrome.exe 252 PID 3732 set thread context of 4796 3732 Chrome.exe 257 PID 3016 set thread context of 4608 3016 Chrome.exe 449 PID 4848 set thread context of 1568 4848 Chrome.exe 707 PID 2740 set thread context of 4764 2740 Chrome.exe 269 PID 3776 set thread context of 5096 3776 Chrome.exe 271 PID 3684 set thread context of 1396 3684 Chrome.exe 276 PID 4852 set thread context of 3296 4852 Chrome.exe 279 PID 1564 set thread context of 3800 1564 Chrome.exe 284 PID 5044 set thread context of 4584 5044 Chrome.exe 622 PID 2028 set thread context of 5060 2028 Chrome.exe 846 PID 4896 set thread context of 3912 4896 Chrome.exe 872 PID 1668 set thread context of 2740 1668 Chrome.exe 394 PID 4752 set thread context of 5016 4752 Chrome.exe 523 PID 412 set thread context of 1680 412 Chrome.exe 302 PID 452 set thread context of 4992 452 Chrome.exe 305 PID 3908 set thread context of 1848 3908 Chrome.exe 512 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\UDP Service\udpsv.exe Chrome.exe File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4604 1500 WerFault.exe 82 3416 3128 WerFault.exe 101 3636 2340 WerFault.exe 109 828 1608 WerFault.exe 114 1164 1444 WerFault.exe 122 3412 1316 WerFault.exe 139 1488 3704 WerFault.exe 175 2568 3680 WerFault.exe 189 600 2100 WerFault.exe 206 4712 1596 WerFault.exe 211 2488 1072 WerFault.exe 228 1424 2804 WerFault.exe 252 3896 4796 WerFault.exe 257 4660 5096 WerFault.exe 271 3976 3296 WerFault.exe 279 3344 1068 WerFault.exe 311 2484 2672 WerFault.exe 322 3908 5056 WerFault.exe 336 4620 1460 WerFault.exe 374 632 4924 WerFault.exe 388 2428 1792 WerFault.exe 402 4180 1256 WerFault.exe 413 2820 4540 WerFault.exe 424 2312 3136 WerFault.exe 432 1644 1592 WerFault.exe 437 2920 4752 WerFault.exe 445 2568 1236 WerFault.exe 453 828 4840 WerFault.exe 458 2332 3832 WerFault.exe 508 4256 2272 WerFault.exe 513 5016 1388 WerFault.exe 521 3980 4656 WerFault.exe 532 1648 852 WerFault.exe 549 1168 1756 WerFault.exe 557 4012 4204 WerFault.exe 574 3712 2028 WerFault.exe 594 2296 4632 WerFault.exe 602 1708 1436 WerFault.exe 628 672 1212 WerFault.exe 639 4692 3448 WerFault.exe 644 3140 2948 WerFault.exe 649 2432 3196 WerFault.exe 654 4588 4052 WerFault.exe 680 4860 3828 WerFault.exe 697 4788 4876 WerFault.exe 702 4316 4672 WerFault.exe 719 1400 380 WerFault.exe 724 2380 1864 WerFault.exe 744 4748 4504 WerFault.exe 755 4112 1164 WerFault.exe 760 1316 432 WerFault.exe 765 2712 4816 WerFault.exe 770 2568 1472 WerFault.exe 778 3568 3440 WerFault.exe 807 4356 4660 WerFault.exe 812 696 672 WerFault.exe 829 228 2112 WerFault.exe 834 3936 1788 WerFault.exe 845 1708 4848 WerFault.exe 856 4256 944 WerFault.exe 867 1912 2904 WerFault.exe 890 2292 2080 WerFault.exe 901 1168 352 WerFault.exe 918 1008 3416 WerFault.exe 923 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 900 schtasks.exe 4176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe 4528 Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4528 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2228 Chrome.exe Token: SeDebugPrivilege 3628 Chrome.exe Token: SeDebugPrivilege 4092 Chrome.exe Token: SeDebugPrivilege 3936 Chrome.exe Token: SeDebugPrivilege 4528 Chrome.exe Token: SeDebugPrivilege 3764 Chrome.exe Token: SeDebugPrivilege 2332 Chrome.exe Token: SeDebugPrivilege 776 Chrome.exe Token: SeDebugPrivilege 1976 Chrome.exe Token: SeDebugPrivilege 4244 Chrome.exe Token: SeDebugPrivilege 3788 Chrome.exe Token: SeDebugPrivilege 1204 Chrome.exe Token: SeDebugPrivilege 2432 Chrome.exe Token: SeDebugPrivilege 2492 Chrome.exe Token: SeDebugPrivilege 3692 Chrome.exe Token: SeDebugPrivilege 2860 Chrome.exe Token: SeDebugPrivilege 4288 Chrome.exe Token: SeDebugPrivilege 2096 Chrome.exe Token: SeDebugPrivilege 5060 Chrome.exe Token: SeDebugPrivilege 1676 Chrome.exe Token: SeDebugPrivilege 4292 Chrome.exe Token: SeDebugPrivilege 2852 Chrome.exe Token: SeDebugPrivilege 4868 Chrome.exe Token: SeDebugPrivilege 1164 Chrome.exe Token: SeDebugPrivilege 2112 Chrome.exe Token: SeDebugPrivilege 4796 Chrome.exe Token: SeDebugPrivilege 4900 Chrome.exe Token: SeDebugPrivilege 1668 Chrome.exe Token: SeDebugPrivilege 3872 Chrome.exe Token: SeDebugPrivilege 1456 Chrome.exe Token: SeDebugPrivilege 452 Chrome.exe Token: SeDebugPrivilege 1220 Chrome.exe Token: SeDebugPrivilege 4536 Chrome.exe Token: SeDebugPrivilege 4444 Chrome.exe Token: SeDebugPrivilege 8 Chrome.exe Token: SeDebugPrivilege 3968 Chrome.exe Token: SeDebugPrivilege 4256 Chrome.exe Token: SeDebugPrivilege 4832 Chrome.exe Token: SeDebugPrivilege 5028 Chrome.exe Token: SeDebugPrivilege 452 Chrome.exe Token: SeDebugPrivilege 4884 Chrome.exe Token: SeDebugPrivilege 4584 Chrome.exe Token: SeDebugPrivilege 3084 Chrome.exe Token: SeDebugPrivilege 4896 Chrome.exe Token: SeDebugPrivilege 1792 Chrome.exe Token: SeDebugPrivilege 4200 Chrome.exe Token: SeDebugPrivilege 2260 Chrome.exe Token: SeDebugPrivilege 3908 Chrome.exe Token: SeDebugPrivilege 4536 Chrome.exe Token: SeDebugPrivilege 3732 Chrome.exe Token: SeDebugPrivilege 3016 Chrome.exe Token: SeDebugPrivilege 4848 Chrome.exe Token: SeDebugPrivilege 2740 Chrome.exe Token: SeDebugPrivilege 3776 Chrome.exe Token: SeDebugPrivilege 3684 Chrome.exe Token: SeDebugPrivilege 4852 Chrome.exe Token: SeDebugPrivilege 1564 Chrome.exe Token: SeDebugPrivilege 5044 Chrome.exe Token: SeDebugPrivilege 2028 Chrome.exe Token: SeDebugPrivilege 4896 Chrome.exe Token: SeDebugPrivilege 1668 Chrome.exe Token: SeDebugPrivilege 4752 Chrome.exe Token: SeDebugPrivilege 412 Chrome.exe Token: SeDebugPrivilege 452 Chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4356 wrote to memory of 4588 4356 Setup.exe 80 PID 4356 wrote to memory of 4588 4356 Setup.exe 80 PID 4356 wrote to memory of 4588 4356 Setup.exe 80 PID 4356 wrote to memory of 2228 4356 Setup.exe 81 PID 4356 wrote to memory of 2228 4356 Setup.exe 81 PID 4356 wrote to memory of 2228 4356 Setup.exe 81 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 2228 wrote to memory of 1500 2228 Chrome.exe 82 PID 4588 wrote to memory of 2288 4588 Setup.exe 84 PID 4588 wrote to memory of 2288 4588 Setup.exe 84 PID 4588 wrote to memory of 2288 4588 Setup.exe 84 PID 4588 wrote to memory of 3628 4588 Setup.exe 85 PID 4588 wrote to memory of 3628 4588 Setup.exe 85 PID 4588 wrote to memory of 3628 4588 Setup.exe 85 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 3628 wrote to memory of 4528 3628 Chrome.exe 87 PID 2288 wrote to memory of 600 2288 Setup.exe 89 PID 2288 wrote to memory of 600 2288 Setup.exe 89 PID 2288 wrote to memory of 600 2288 Setup.exe 89 PID 2288 wrote to memory of 4092 2288 Setup.exe 90 PID 2288 wrote to memory of 4092 2288 Setup.exe 90 PID 2288 wrote to memory of 4092 2288 Setup.exe 90 PID 4528 wrote to memory of 900 4528 Chrome.exe 91 PID 4528 wrote to memory of 900 4528 Chrome.exe 91 PID 4528 wrote to memory of 900 4528 Chrome.exe 91 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4092 wrote to memory of 3288 4092 Chrome.exe 93 PID 4528 wrote to memory of 4176 4528 Chrome.exe 94 PID 4528 wrote to memory of 4176 4528 Chrome.exe 94 PID 4528 wrote to memory of 4176 4528 Chrome.exe 94 PID 600 wrote to memory of 1524 600 Setup.exe 95 PID 600 wrote to memory of 1524 600 Setup.exe 95 PID 600 wrote to memory of 1524 600 Setup.exe 95 PID 600 wrote to memory of 3936 600 Setup.exe 97 PID 600 wrote to memory of 3936 600 Setup.exe 97 PID 600 wrote to memory of 3936 600 Setup.exe 97 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 3936 wrote to memory of 1460 3936 Chrome.exe 98 PID 1524 wrote to memory of 4648 1524 Setup.exe 99 PID 1524 wrote to memory of 4648 1524 Setup.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"6⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"7⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"8⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"9⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"10⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"11⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"12⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"13⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"14⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"15⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"16⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"17⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"18⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"19⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"20⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"21⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"22⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"23⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"24⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"25⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"26⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"27⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"28⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"29⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"30⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"31⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"32⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"33⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"34⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"35⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"36⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"37⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"38⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"39⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"40⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"41⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"42⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"43⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"44⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"45⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"46⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"47⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"48⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"49⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"50⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"51⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"52⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"53⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"54⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"55⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"56⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"57⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"58⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"59⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"60⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"61⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"62⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"63⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"64⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"65⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"66⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"67⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"68⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"69⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"70⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"71⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"72⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"73⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"74⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"75⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"76⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"77⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"78⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"79⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"80⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"81⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"82⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"83⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"84⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"85⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"86⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"87⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"88⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"89⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"90⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"91⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"92⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"93⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"94⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"95⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"96⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"97⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"98⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"99⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"100⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"101⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"102⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"103⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"104⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"105⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"106⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"107⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"108⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"109⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"110⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"111⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"112⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"113⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"114⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"115⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"116⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"117⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"118⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"119⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"120⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"121⤵PID:4636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-