Analysis
-
max time kernel
17s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-11-2024 21:44
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win11-20241007-en
windows11-21h2-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Chrome.exe
Resource
win11-20241007-en
windows11-21h2-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win11-20241007-en
windows11-21h2-x64
4 signatures
150 seconds
General
-
Target
Setup.exe
-
Size
11.7MB
-
MD5
c13eaea9f5401998054cd90d3522732d
-
SHA1
5f227077d8b533892a7cba05ae6cbe112ce51d13
-
SHA256
0119abb16b47b36c9497b835ed305fa8344d2d7c8d663eb65ec522bfa2588ae9
-
SHA512
4c1d47ec5546879da086cc773d4338506da14392cb767f9c8a38968744016ed8bf4f5a81653c0ffc639690871fc44a446877d75bf85585266e864b1b93301ca3
-
SSDEEP
196608:UXkCEHUrw55FD7Rkadk0iZE4t8jP12sJhEmXHk3g27CwEVDg72jzA3VVkimp:nCE2yP7RkadkO4t8TktHvCb7jzcVVkiG
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
haxorbaba.duckdns.org:1604
Mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
Attributes
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Executes dropped EXE 64 IoCs
pid Process 1984 Chrome.exe 4560 Chrome.exe 792 Chrome.exe 2396 Chrome.exe 4204 Chrome.exe 4580 Chrome.exe 4696 Chrome.exe 240 Chrome.exe 3692 Chrome.exe 2648 Chrome.exe 1172 Chrome.exe 4488 Chrome.exe 1876 Chrome.exe 2120 Chrome.exe 1964 Chrome.exe 804 Chrome.exe 2940 Chrome.exe 3124 Chrome.exe 692 Chrome.exe 464 Chrome.exe 1676 Chrome.exe 1696 Chrome.exe 2184 Chrome.exe 3132 Chrome.exe 3436 Chrome.exe 3196 Chrome.exe 4724 Chrome.exe 988 Chrome.exe 3688 Chrome.exe 1608 Chrome.exe 1224 Chrome.exe 956 Chrome.exe 4628 Chrome.exe 2160 Chrome.exe 2100 Chrome.exe 4696 Chrome.exe 4068 Chrome.exe 3692 Chrome.exe 1216 Chrome.exe 384 Chrome.exe 4456 Chrome.exe 4740 Chrome.exe 2336 Chrome.exe 2940 Chrome.exe 5100 Chrome.exe 3704 Chrome.exe 1780 Chrome.exe 3616 Chrome.exe 2040 Chrome.exe 2572 Chrome.exe 2824 Chrome.exe 3324 Chrome.exe 4572 Chrome.exe 2236 Chrome.exe 876 Chrome.exe 4836 Chrome.exe 2176 Chrome.exe 2080 Chrome.exe 4264 Chrome.exe 1360 Chrome.exe 1876 Chrome.exe 4112 Chrome.exe 908 Chrome.exe 5100 Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Manager = "C:\\Program Files (x86)\\SAAS Manager\\saasmgr.exe" Chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chrome.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1984 set thread context of 4560 1984 Chrome.exe 81 PID 792 set thread context of 2396 792 Chrome.exe 84 PID 4204 set thread context of 4580 4204 Chrome.exe 87 PID 4696 set thread context of 240 4696 Chrome.exe 94 PID 3692 set thread context of 2648 3692 Chrome.exe 97 PID 1172 set thread context of 4488 1172 Chrome.exe 100 PID 1876 set thread context of 2120 1876 Chrome.exe 103 PID 1964 set thread context of 804 1964 Chrome.exe 106 PID 2940 set thread context of 3124 2940 Chrome.exe 346 PID 692 set thread context of 464 692 Chrome.exe 256 PID 1676 set thread context of 1696 1676 Chrome.exe 258 PID 2184 set thread context of 3132 2184 Chrome.exe 118 PID 3436 set thread context of 3196 3436 Chrome.exe 266 PID 4724 set thread context of 988 4724 Chrome.exe 526 PID 3688 set thread context of 1608 3688 Chrome.exe 335 PID 1224 set thread context of 956 1224 Chrome.exe 131 PID 4628 set thread context of 2160 4628 Chrome.exe 248 PID 2100 set thread context of 4696 2100 Chrome.exe 140 PID 4068 set thread context of 3692 4068 Chrome.exe 254 PID 1216 set thread context of 384 1216 Chrome.exe 518 PID 4456 set thread context of 4740 4456 Chrome.exe 151 PID 2336 set thread context of 2940 2336 Chrome.exe 156 PID 5100 set thread context of 3704 5100 Chrome.exe 632 PID 1780 set thread context of 3616 1780 Chrome.exe 162 PID 2040 set thread context of 2572 2040 Chrome.exe 711 PID 2824 set thread context of 3324 2824 Chrome.exe 707 PID 4572 set thread context of 2236 4572 Chrome.exe 377 PID 876 set thread context of 4836 876 Chrome.exe 692 PID 2176 set thread context of 2080 2176 Chrome.exe 790 PID 4264 set thread context of 1360 4264 Chrome.exe 182 PID 1876 set thread context of 4112 1876 Chrome.exe 650 PID 908 set thread context of 5100 908 Chrome.exe 338 PID 3396 set thread context of 3120 3396 Chrome.exe 473 PID 1604 set thread context of 1980 1604 Chrome.exe 196 PID 1872 set thread context of 3924 1872 Chrome.exe 199 PID 2884 set thread context of 1984 2884 Chrome.exe 508 PID 5016 set thread context of 5044 5016 Chrome.exe 895 PID 3796 set thread context of 1000 3796 Chrome.exe 843 PID 4736 set thread context of 2332 4736 Chrome.exe 981 PID 4264 set thread context of 4848 4264 Chrome.exe 390 PID 2580 set thread context of 4320 2580 Chrome.exe 219 PID 3888 set thread context of 1724 3888 Chrome.exe 1076 PID 4656 set thread context of 2528 4656 Chrome.exe 840 PID 1692 set thread context of 2720 1692 Chrome.exe 230 PID 2708 set thread context of 1576 2708 Chrome.exe 235 PID 4904 set thread context of 4700 4904 Chrome.exe 985 PID 3152 set thread context of 3004 3152 Chrome.exe 1224 PID 4840 set thread context of 4068 4840 Chrome.exe 1256 PID 2160 set thread context of 1300 2160 Chrome.exe 424 PID 4264 set thread context of 1060 4264 Chrome.exe 252 PID 464 set thread context of 2388 464 Chrome.exe 844 PID 3888 set thread context of 384 3888 Chrome.exe 518 PID 4656 set thread context of 1780 4656 Chrome.exe 894 PID 1612 set thread context of 3196 1612 Chrome.exe 1365 PID 4912 set thread context of 760 4912 Chrome.exe 554 PID 4532 set thread context of 1996 4532 Chrome.exe 272 PID 3352 set thread context of 3864 3352 Chrome.exe 277 PID 1988 set thread context of 1932 1988 Chrome.exe 280 PID 632 set thread context of 1236 632 Chrome.exe 1334 PID 2236 set thread context of 3644 2236 Chrome.exe 697 PID 4868 set thread context of 2300 4868 Chrome.exe 291 PID 3792 set thread context of 644 3792 Chrome.exe 1511 PID 1612 set thread context of 4376 1612 Chrome.exe 1423 PID 3444 set thread context of 2100 3444 Chrome.exe 1574 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SAAS Manager\saasmgr.exe Chrome.exe File opened for modification C:\Program Files (x86)\SAAS Manager\saasmgr.exe Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3352 956 WerFault.exe 131 3644 4696 WerFault.exe 140 4752 4740 WerFault.exe 151 1836 3616 WerFault.exe 162 4848 1360 WerFault.exe 182 1560 3924 WerFault.exe 199 3580 4320 WerFault.exe 219 4580 2720 WerFault.exe 230 2324 1576 WerFault.exe 235 3692 1060 WerFault.exe 252 5016 1996 WerFault.exe 272 3596 1932 WerFault.exe 280 3108 2300 WerFault.exe 291 4508 336 WerFault.exe 308 1664 3224 WerFault.exe 313 1140 3792 WerFault.exe 327 1228 5100 WerFault.exe 338 864 3104 WerFault.exe 364 1384 2240 WerFault.exe 378 3588 2232 WerFault.exe 386 3200 2176 WerFault.exe 391 3916 2916 WerFault.exe 402 2080 2860 WerFault.exe 413 3024 1300 WerFault.exe 424 2308 3592 WerFault.exe 432 5072 1464 WerFault.exe 437 1836 2316 WerFault.exe 442 2172 2472 WerFault.exe 462 5040 2604 WerFault.exe 476 4264 1128 WerFault.exe 496 1108 2396 WerFault.exe 501 644 3152 WerFault.exe 545 952 3140 WerFault.exe 553 4208 2708 WerFault.exe 567 688 1668 WerFault.exe 572 4756 2328 WerFault.exe 577 4556 1608 WerFault.exe 591 2928 1612 WerFault.exe 596 4420 876 WerFault.exe 607 428 1384 WerFault.exe 621 868 1720 WerFault.exe 629 4816 4232 WerFault.exe 634 2488 2060 WerFault.exe 639 5084 4184 WerFault.exe 659 3448 3596 WerFault.exe 664 2864 4900 WerFault.exe 681 3580 820 WerFault.exe 689 2644 3644 WerFault.exe 697 4684 3484 WerFault.exe 717 3124 2792 WerFault.exe 731 804 4216 WerFault.exe 739 8 1240 WerFault.exe 744 844 464 WerFault.exe 755 2436 5016 WerFault.exe 760 560 2812 WerFault.exe 765 3200 4844 WerFault.exe 776 1192 2080 WerFault.exe 790 3568 1768 WerFault.exe 819 2952 428 WerFault.exe 827 2288 1072 WerFault.exe 835 2172 2436 WerFault.exe 846 5040 5076 WerFault.exe 857 4412 2564 WerFault.exe 868 4652 5048 WerFault.exe 876 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3832 schtasks.exe 1892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe 4560 Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4560 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1984 Chrome.exe Token: SeDebugPrivilege 792 Chrome.exe Token: SeDebugPrivilege 4204 Chrome.exe Token: SeDebugPrivilege 4696 Chrome.exe Token: SeDebugPrivilege 3692 Chrome.exe Token: SeDebugPrivilege 4560 Chrome.exe Token: SeDebugPrivilege 1172 Chrome.exe Token: SeDebugPrivilege 1876 Chrome.exe Token: SeDebugPrivilege 1964 Chrome.exe Token: SeDebugPrivilege 2940 Chrome.exe Token: SeDebugPrivilege 692 Chrome.exe Token: SeDebugPrivilege 1676 Chrome.exe Token: SeDebugPrivilege 2184 Chrome.exe Token: SeDebugPrivilege 3436 Chrome.exe Token: SeDebugPrivilege 4724 Chrome.exe Token: SeDebugPrivilege 3688 Chrome.exe Token: SeDebugPrivilege 1224 Chrome.exe Token: SeDebugPrivilege 4628 Chrome.exe Token: SeDebugPrivilege 2100 Chrome.exe Token: SeDebugPrivilege 4068 Chrome.exe Token: SeDebugPrivilege 1216 Chrome.exe Token: SeDebugPrivilege 4456 Chrome.exe Token: SeDebugPrivilege 2336 Chrome.exe Token: SeDebugPrivilege 5100 Chrome.exe Token: SeDebugPrivilege 1780 Chrome.exe Token: SeDebugPrivilege 2040 Chrome.exe Token: SeDebugPrivilege 2824 Chrome.exe Token: SeDebugPrivilege 4572 Chrome.exe Token: SeDebugPrivilege 876 Chrome.exe Token: SeDebugPrivilege 2176 Chrome.exe Token: SeDebugPrivilege 4264 Chrome.exe Token: SeDebugPrivilege 1876 Chrome.exe Token: SeDebugPrivilege 908 Chrome.exe Token: SeDebugPrivilege 3396 Chrome.exe Token: SeDebugPrivilege 1604 Chrome.exe Token: SeDebugPrivilege 1872 Chrome.exe Token: SeDebugPrivilege 2884 Chrome.exe Token: SeDebugPrivilege 5016 Chrome.exe Token: SeDebugPrivilege 3796 Chrome.exe Token: SeDebugPrivilege 4736 Chrome.exe Token: SeDebugPrivilege 4264 Chrome.exe Token: SeDebugPrivilege 2580 Chrome.exe Token: SeDebugPrivilege 3888 Chrome.exe Token: SeDebugPrivilege 4656 Chrome.exe Token: SeDebugPrivilege 1692 Chrome.exe Token: SeDebugPrivilege 2708 Chrome.exe Token: SeDebugPrivilege 4904 Chrome.exe Token: SeDebugPrivilege 3152 Chrome.exe Token: SeDebugPrivilege 4840 Chrome.exe Token: SeDebugPrivilege 2160 Chrome.exe Token: SeDebugPrivilege 4264 Chrome.exe Token: SeDebugPrivilege 464 Chrome.exe Token: SeDebugPrivilege 3888 Chrome.exe Token: SeDebugPrivilege 4656 Chrome.exe Token: SeDebugPrivilege 1612 Chrome.exe Token: SeDebugPrivilege 4912 Chrome.exe Token: SeDebugPrivilege 4532 Chrome.exe Token: SeDebugPrivilege 3352 Chrome.exe Token: SeDebugPrivilege 1988 Chrome.exe Token: SeDebugPrivilege 632 Chrome.exe Token: SeDebugPrivilege 2236 Chrome.exe Token: SeDebugPrivilege 4868 Chrome.exe Token: SeDebugPrivilege 3792 Chrome.exe Token: SeDebugPrivilege 1612 Chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4624 2436 Setup.exe 79 PID 2436 wrote to memory of 4624 2436 Setup.exe 79 PID 2436 wrote to memory of 4624 2436 Setup.exe 79 PID 2436 wrote to memory of 1984 2436 Setup.exe 80 PID 2436 wrote to memory of 1984 2436 Setup.exe 80 PID 2436 wrote to memory of 1984 2436 Setup.exe 80 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 1984 wrote to memory of 4560 1984 Chrome.exe 81 PID 4624 wrote to memory of 3152 4624 Setup.exe 82 PID 4624 wrote to memory of 3152 4624 Setup.exe 82 PID 4624 wrote to memory of 3152 4624 Setup.exe 82 PID 4624 wrote to memory of 792 4624 Setup.exe 83 PID 4624 wrote to memory of 792 4624 Setup.exe 83 PID 4624 wrote to memory of 792 4624 Setup.exe 83 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 792 wrote to memory of 2396 792 Chrome.exe 84 PID 3152 wrote to memory of 3796 3152 Setup.exe 85 PID 3152 wrote to memory of 3796 3152 Setup.exe 85 PID 3152 wrote to memory of 3796 3152 Setup.exe 85 PID 3152 wrote to memory of 4204 3152 Setup.exe 86 PID 3152 wrote to memory of 4204 3152 Setup.exe 86 PID 3152 wrote to memory of 4204 3152 Setup.exe 86 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4204 wrote to memory of 4580 4204 Chrome.exe 87 PID 4560 wrote to memory of 1892 4560 Chrome.exe 88 PID 4560 wrote to memory of 1892 4560 Chrome.exe 88 PID 4560 wrote to memory of 1892 4560 Chrome.exe 88 PID 3796 wrote to memory of 1456 3796 Setup.exe 143 PID 3796 wrote to memory of 1456 3796 Setup.exe 143 PID 3796 wrote to memory of 1456 3796 Setup.exe 143 PID 3796 wrote to memory of 4696 3796 Setup.exe 140 PID 3796 wrote to memory of 4696 3796 Setup.exe 140 PID 3796 wrote to memory of 4696 3796 Setup.exe 140 PID 4560 wrote to memory of 3832 4560 Chrome.exe 92 PID 4560 wrote to memory of 3832 4560 Chrome.exe 92 PID 4560 wrote to memory of 3832 4560 Chrome.exe 92 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 4696 wrote to memory of 240 4696 Chrome.exe 94 PID 1456 wrote to memory of 1384 1456 Setup.exe 95 PID 1456 wrote to memory of 1384 1456 Setup.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"6⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"7⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"8⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"9⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"10⤵
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"11⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"12⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"13⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"14⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"15⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"16⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"17⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"18⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"19⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"20⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"21⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"22⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"23⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"24⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"25⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"26⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"27⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"28⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"29⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"30⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"31⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"32⤵
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"33⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"34⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"35⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"36⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"37⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"38⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"39⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"40⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"41⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"42⤵
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"43⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"44⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"45⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"46⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"47⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"48⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"49⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"50⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"51⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"52⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"53⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"54⤵
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"55⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"56⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"57⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"58⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"59⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"60⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"61⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"62⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"63⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"64⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"65⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"66⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"67⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"68⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"69⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"70⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"71⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"72⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"73⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"74⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"75⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"76⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"77⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"78⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"79⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"80⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"81⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"82⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"83⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"84⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"85⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"86⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"87⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"88⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"89⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"90⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"91⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"92⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"93⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"94⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"95⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"96⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"97⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"98⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"99⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"100⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"101⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"102⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"103⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"104⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"105⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"106⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"107⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"108⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"109⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"110⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"111⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"112⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"113⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"114⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"115⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"116⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"117⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"118⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"119⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"120⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"121⤵PID:1872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-