nanocore | 5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

524KB
MD5

81ffddf2c1d7905204a67f6577e2dc68
SHA1

a89c37a3e12a46ac714887d509a1849791b4b244
SHA256

5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
SHA512

b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
SSDEEP

6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP

Score

10^/10

nanocore discovery evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes

activate_away_mode
true
backup_connection_host
original-financial.gl.at.ply.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-13T19:32:56.304391136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28916
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
836	powershell.exe
1700	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2140	111111111111111111111111111111111111.exe
2644	injection.exe
2532	111111111111111111111111111111111111.exe
2416	injection.exe
1932	111111111111111111111111111111111111.exe
536	injection.exe
1660	injection.exe
1572	111111111111111111111111111111111111.exe
2900	111111111111111111111111111111111111.exe
1784	injection.exe
340	111111111111111111111111111111111111.exe
632	injection.exe
3052	111111111111111111111111111111111111.exe
2068	injection.exe
2728	111111111111111111111111111111111111.exe
2632	injection.exe
2044	wlanext.exe
2664	111111111111111111111111111111111111.exe
1944	injection.exe
2964	111111111111111111111111111111111111.exe
2476	injection.exe
2648	111111111111111111111111111111111111.exe
2912	injection.exe
220	111111111111111111111111111111111111.exe
1356	injection.exe
692	111111111111111111111111111111111111.exe
668	injection.exe
2600	111111111111111111111111111111111111.exe
1636	injection.exe
2908	111111111111111111111111111111111111.exe
2420	injection.exe
1780	111111111111111111111111111111111111.exe
2692	injection.exe
2012	111111111111111111111111111111111111.exe
2684	injection.exe
1880	111111111111111111111111111111111111.exe
2404	injection.exe
1192	111111111111111111111111111111111111.exe
2152	injection.exe
2252	111111111111111111111111111111111111.exe
1284	injection.exe
2844	111111111111111111111111111111111111.exe
572	injection.exe
1836	111111111111111111111111111111111111.exe
2808	injection.exe
624	111111111111111111111111111111111111.exe
2508	injection.exe
1532	111111111111111111111111111111111111.exe
1492	injection.exe
1944	111111111111111111111111111111111111.exe
804	injection.exe
2488	111111111111111111111111111111111111.exe
1580	injection.exe
1780	111111111111111111111111111111111111.exe
1296	injection.exe
900	111111111111111111111111111111111111.exe
232	injection.exe
476	111111111111111111111111111111111111.exe
744	injection.exe
2924	111111111111111111111111111111111111.exe
2316	injection.exe
2304	111111111111111111111111111111111111.exe
2808	injection.exe
2724	111111111111111111111111111111111111.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	111111111111111111111111111111111111.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlanext.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111111111111111111111111111111111111.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
836	powershell.exe
1700	powershell.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
2140	111111111111111111111111111111111111.exe
1888	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	111111111111111111111111111111111111.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	injection.exe
Token: SeDebugPrivilege	2140	111111111111111111111111111111111111.exe
Token: SeDebugPrivilege	2416	injection.exe
Token: SeDebugPrivilege	536	injection.exe
Token: SeBackupPrivilege	1924	vssvc.exe
Token: SeRestorePrivilege	1924	vssvc.exe
Token: SeAuditPrivilege	1924	vssvc.exe
Token: SeDebugPrivilege	1660	injection.exe
Token: SeDebugPrivilege	1784	injection.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	632	injection.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2068	injection.exe
Token: SeDebugPrivilege	2632	injection.exe
Token: SeDebugPrivilege	2044	wlanext.exe
Token: SeDebugPrivilege	2044	wlanext.exe
Token: SeDebugPrivilege	1944	injection.exe
Token: SeDebugPrivilege	2476	injection.exe
Token: SeDebugPrivilege	2912	injection.exe
Token: SeDebugPrivilege	1356	injection.exe
Token: SeDebugPrivilege	668	injection.exe
Token: SeDebugPrivilege	1636	injection.exe
Token: SeDebugPrivilege	2420	injection.exe
Token: SeDebugPrivilege	2692	injection.exe
Token: SeDebugPrivilege	2684	injection.exe
Token: SeDebugPrivilege	2404	injection.exe
Token: SeDebugPrivilege	2152	injection.exe
Token: SeDebugPrivilege	1284	injection.exe
Token: SeDebugPrivilege	572	injection.exe
Token: SeDebugPrivilege	2808	injection.exe
Token: SeDebugPrivilege	2508	injection.exe
Token: SeDebugPrivilege	1492	injection.exe
Token: SeDebugPrivilege	804	injection.exe
Token: SeDebugPrivilege	1580	injection.exe
Token: SeDebugPrivilege	1296	injection.exe
Token: SeDebugPrivilege	232	injection.exe
Token: SeDebugPrivilege	744	injection.exe
Token: SeDebugPrivilege	2316	injection.exe
Token: SeDebugPrivilege	2808	injection.exe
Token: SeDebugPrivilege	2112	injection.exe
Token: SeDebugPrivilege	1988	injection.exe
Token: SeDebugPrivilege	788	injection.exe
Token: SeDebugPrivilege	1948	injection.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1264	injection.exe
Token: SeDebugPrivilege	1672	injection.exe
Token: SeDebugPrivilege	1232	injection.exe
Token: SeDebugPrivilege	2312	injection.exe
Token: SeDebugPrivilege	3064	injection.exe
Token: SeDebugPrivilege	1872	injection.exe
Token: SeDebugPrivilege	800	injection.exe
Token: SeDebugPrivilege	2492	injection.exe
Token: SeDebugPrivilege	1360	injection.exe
Token: SeDebugPrivilege	336	injection.exe
Token: SeDebugPrivilege	2236	injection.exe
Token: SeDebugPrivilege	920	injection.exe
Token: SeDebugPrivilege	1636	injection.exe
Token: SeDebugPrivilege	2832	injection.exe
Token: SeDebugPrivilege	2200	injection.exe
Token: SeDebugPrivilege	2544	injection.exe
Token: SeDebugPrivilege	1296	injection.exe
Token: SeDebugPrivilege	212	injection.exe
Token: SeDebugPrivilege	1932	injection.exe
Token: SeDebugPrivilege	684	injection.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2140	2192	Setup.exe	28
PID 2192 wrote to memory of 2140	2192	Setup.exe	28
PID 2192 wrote to memory of 2140	2192	Setup.exe	28
PID 2192 wrote to memory of 2140	2192	Setup.exe	28
PID 2192 wrote to memory of 2644	2192	Setup.exe	29
PID 2192 wrote to memory of 2644	2192	Setup.exe	29
PID 2192 wrote to memory of 2644	2192	Setup.exe	29
PID 2192 wrote to memory of 2572	2192	Setup.exe	30
PID 2192 wrote to memory of 2572	2192	Setup.exe	30
PID 2192 wrote to memory of 2572	2192	Setup.exe	30
PID 2572 wrote to memory of 2532	2572	Setup.exe	31
PID 2572 wrote to memory of 2532	2572	Setup.exe	31
PID 2572 wrote to memory of 2532	2572	Setup.exe	31
PID 2572 wrote to memory of 2532	2572	Setup.exe	31
PID 2572 wrote to memory of 2416	2572	Setup.exe	32
PID 2572 wrote to memory of 2416	2572	Setup.exe	32
PID 2572 wrote to memory of 2416	2572	Setup.exe	32
PID 2572 wrote to memory of 2412	2572	Setup.exe	33
PID 2572 wrote to memory of 2412	2572	Setup.exe	33
PID 2572 wrote to memory of 2412	2572	Setup.exe	33
PID 2412 wrote to memory of 1932	2412	Setup.exe	34
PID 2412 wrote to memory of 1932	2412	Setup.exe	34
PID 2412 wrote to memory of 1932	2412	Setup.exe	34
PID 2412 wrote to memory of 1932	2412	Setup.exe	34
PID 2412 wrote to memory of 536	2412	Setup.exe	35
PID 2412 wrote to memory of 536	2412	Setup.exe	35
PID 2412 wrote to memory of 536	2412	Setup.exe	35
PID 2412 wrote to memory of 476	2412	Setup.exe	36
PID 2412 wrote to memory of 476	2412	Setup.exe	36
PID 2412 wrote to memory of 476	2412	Setup.exe	36
PID 476 wrote to memory of 1572	476	Setup.exe	41
PID 476 wrote to memory of 1572	476	Setup.exe	41
PID 476 wrote to memory of 1572	476	Setup.exe	41
PID 476 wrote to memory of 1572	476	Setup.exe	41
PID 476 wrote to memory of 1660	476	Setup.exe	42
PID 476 wrote to memory of 1660	476	Setup.exe	42
PID 476 wrote to memory of 1660	476	Setup.exe	42
PID 476 wrote to memory of 1192	476	Setup.exe	43
PID 476 wrote to memory of 1192	476	Setup.exe	43
PID 476 wrote to memory of 1192	476	Setup.exe	43
PID 1192 wrote to memory of 2900	1192	Setup.exe	44
PID 1192 wrote to memory of 2900	1192	Setup.exe	44
PID 1192 wrote to memory of 2900	1192	Setup.exe	44
PID 1192 wrote to memory of 2900	1192	Setup.exe	44
PID 1192 wrote to memory of 1784	1192	Setup.exe	45
PID 1192 wrote to memory of 1784	1192	Setup.exe	45
PID 1192 wrote to memory of 1784	1192	Setup.exe	45
PID 1192 wrote to memory of 668	1192	Setup.exe	46
PID 1192 wrote to memory of 668	1192	Setup.exe	46
PID 1192 wrote to memory of 668	1192	Setup.exe	46
PID 2644 wrote to memory of 836	2644	injection.exe	47
PID 2644 wrote to memory of 836	2644	injection.exe	47
PID 2644 wrote to memory of 836	2644	injection.exe	47
PID 2644 wrote to memory of 1700	2644	injection.exe	49
PID 2644 wrote to memory of 1700	2644	injection.exe	49
PID 2644 wrote to memory of 1700	2644	injection.exe	49
PID 668 wrote to memory of 340	668	Setup.exe	51
PID 668 wrote to memory of 340	668	Setup.exe	51
PID 668 wrote to memory of 340	668	Setup.exe	51
PID 668 wrote to memory of 340	668	Setup.exe	51
PID 668 wrote to memory of 632	668	Setup.exe	52
PID 668 wrote to memory of 632	668	Setup.exe	52
PID 668 wrote to memory of 632	668	Setup.exe	52
PID 668 wrote to memory of 1792	668	Setup.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
  "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\injection.exe
  "C:\Users\Admin\AppData\Local\Temp\injection.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
    "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\injection.exe
    "C:\Users\Admin\AppData\Local\Temp\injection.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
      "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\injection.exe
      "C:\Users\Admin\AppData\Local\Temp\injection.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:476
    - - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        7⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        8⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        9⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        10⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        11⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        12⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        13⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        14⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        15⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        16⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        16⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        17⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        18⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        19⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        20⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        21⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        22⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        22⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        23⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        24⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        25⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        26⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        27⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        28⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        29⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        30⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        31⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        32⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        33⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        34⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        35⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        36⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        37⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        38⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        38⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        39⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        40⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        41⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        42⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        43⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        44⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        45⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        46⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        47⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        48⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        49⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        50⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        50⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        51⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        52⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        53⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        54⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        55⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        56⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        57⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        57⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        58⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        58⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        59⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        59⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        60⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        60⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        61⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        61⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        62⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        62⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        63⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        63⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        63⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        64⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        64⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        65⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        65⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        66⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        66⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        67⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        67⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        68⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        68⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        69⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        69⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\injection.exe
        
        "C:\Users\Admin\AppData\Local\Temp\injection.exe"
        70⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        70⤵
        
        PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {2F532F36-C9C9-4D6D-B467-0558D981F16D} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2416
- C:\Users\Admin\AppData\Roaming\wlanext.exe
  C:\Users\Admin\AppData\Roaming\wlanext.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe

Filesize
209KB

MD5
9258d024ee6fbfe283978e89e25cbc50

SHA1
123f1309dbc98824ec2ebb12f9883a07b873820e

SHA256
392a00e29a7305ead657c6c10d80b446f8b6bfe25a171e63e43439695f40410a

SHA512
993b2a16cfdc8dbd99753349f923a6baf1e801f79d7fb6aa39e15f617b4f798f355a9edddc9e7579ece562e1c254299e974ac46e70efe576a0985554fec15913

Download Submit
C:\Users\Admin\AppData\Local\Temp\injection.exe

Filesize
399KB

MD5
153deb0e0ffc0b476d5bba8a69778dde

SHA1
4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

SHA256
4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

SHA512
00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

Download Submit
C:\Users\Admin\AppData\Roaming\DE87A6D6-9D44-4942-9EC6-2BE31B435411\run.dat

Filesize
8B

MD5
38b4b51fe3c4adbf1df174c84588d28f

SHA1
52edf49007fb895890789455aa7d9b2b94ee64d6

SHA256
e3d3d94205406acc2cb07efca53f639a236a4b3a14112dd81d2b4106e4dd8f84

SHA512
2db84a829a283932a8f956bed72cf0f3137b80c921cc5bcc26e61d2b1390ae1d3392ffa71b1687964cde912f7ef24b951df741d3d9e058beb035d31dc6abac2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a586409232b648ed5bb7226141208267

SHA1
b4c0e79ee928b88356e4495e2a2643b6c43b02a6

SHA256
af26cb9c9569921bd123159428341e2f2ddf279e773c5feea783ef60bd8df960

SHA512
4834f80e24e43e0e62dba63bd8bc91b5d1f5d2b3ffbe7a331e04006bcae46d00a37b3994671f24aaafd796a9c948ad9a39bb598e41428a200b16562be563a8fd

Download Submit
memory/212-283-0x0000000000E50000-0x0000000000EBA000-memory.dmp

Filesize
424KB

Download
memory/232-179-0x0000000000100000-0x000000000016A000-memory.dmp

Filesize
424KB

Download
memory/336-251-0x0000000000CD0000-0x0000000000D3A000-memory.dmp

Filesize
424KB

Download
memory/476-311-0x0000000000D90000-0x0000000000DFA000-memory.dmp

Filesize
424KB

Download
memory/572-148-0x0000000000AF0000-0x0000000000B5A000-memory.dmp

Filesize
424KB

Download
memory/668-92-0x0000000000EF0000-0x0000000000F5A000-memory.dmp

Filesize
424KB

Download
memory/684-291-0x0000000000FB0000-0x000000000101A000-memory.dmp

Filesize
424KB

Download
memory/744-183-0x0000000001340000-0x00000000013AA000-memory.dmp

Filesize
424KB

Download
memory/788-204-0x0000000000E30000-0x0000000000E9A000-memory.dmp

Filesize
424KB

Download
memory/800-240-0x00000000008F0000-0x000000000095A000-memory.dmp

Filesize
424KB

Download
memory/804-167-0x0000000000210000-0x000000000027A000-memory.dmp

Filesize
424KB

Download
memory/804-318-0x00000000011E0000-0x000000000124A000-memory.dmp

Filesize
424KB

Download
memory/836-35-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/836-303-0x0000000000170000-0x00000000001DA000-memory.dmp

Filesize
424KB

Download
memory/836-34-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/920-259-0x0000000000FF0000-0x000000000105A000-memory.dmp

Filesize
424KB

Download
memory/1232-226-0x0000000000980000-0x00000000009EA000-memory.dmp

Filesize
424KB

Download
memory/1264-218-0x0000000000240000-0x00000000002AA000-memory.dmp

Filesize
424KB

Download
memory/1284-141-0x0000000000060000-0x00000000000CA000-memory.dmp

Filesize
424KB

Download
memory/1296-175-0x0000000000350000-0x00000000003BA000-memory.dmp

Filesize
424KB

Download
memory/1296-279-0x0000000000260000-0x00000000002CA000-memory.dmp

Filesize
424KB

Download
memory/1356-85-0x0000000001380000-0x00000000013EA000-memory.dmp

Filesize
424KB

Download
memory/1360-247-0x0000000000300000-0x000000000036A000-memory.dmp

Filesize
424KB

Download
memory/1492-163-0x0000000000130000-0x000000000019A000-memory.dmp

Filesize
424KB

Download
memory/1580-171-0x0000000000DD0000-0x0000000000E3A000-memory.dmp

Filesize
424KB

Download
memory/1636-263-0x00000000002A0000-0x000000000030A000-memory.dmp

Filesize
424KB

Download
memory/1636-99-0x00000000000D0000-0x000000000013A000-memory.dmp

Filesize
424KB

Download
memory/1672-222-0x0000000000200000-0x000000000026A000-memory.dmp

Filesize
424KB

Download
memory/1700-44-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1700-45-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1872-236-0x0000000000C60000-0x0000000000CCA000-memory.dmp

Filesize
424KB

Download
memory/1888-214-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1888-213-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/1904-326-0x0000000000EC0000-0x0000000000F2A000-memory.dmp

Filesize
424KB

Download
memory/1932-287-0x0000000000270000-0x00000000002DA000-memory.dmp

Filesize
424KB

Download
memory/1944-64-0x00000000001D0000-0x000000000023A000-memory.dmp

Filesize
424KB

Download
memory/1948-208-0x0000000000890000-0x00000000008FA000-memory.dmp

Filesize
424KB

Download
memory/1988-200-0x0000000001010000-0x000000000107A000-memory.dmp

Filesize
424KB

Download
memory/2044-55-0x0000000000250000-0x00000000002BA000-memory.dmp

Filesize
424KB

Download
memory/2044-56-0x0000000001F10000-0x0000000001F4A000-memory.dmp

Filesize
232KB

Download
memory/2112-196-0x0000000001310000-0x000000000137A000-memory.dmp

Filesize
424KB

Download
memory/2140-19-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/2140-16-0x0000000074301000-0x0000000074302000-memory.dmp

Filesize
4KB

Download
memory/2140-36-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/2152-134-0x0000000000EA0000-0x0000000000F0A000-memory.dmp

Filesize
424KB

Download
memory/2156-295-0x0000000000120000-0x000000000018A000-memory.dmp

Filesize
424KB

Download
memory/2192-20-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-15-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-1-0x0000000000AD0000-0x0000000000B58000-memory.dmp

Filesize
544KB

Download
memory/2192-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2200-272-0x0000000000DF0000-0x0000000000E5A000-memory.dmp

Filesize
424KB

Download
memory/2236-255-0x00000000009A0000-0x0000000000A0A000-memory.dmp

Filesize
424KB

Download
memory/2272-330-0x0000000000CE0000-0x0000000000D4A000-memory.dmp

Filesize
424KB

Download
memory/2316-187-0x00000000009C0000-0x0000000000A2A000-memory.dmp

Filesize
424KB

Download
memory/2404-127-0x0000000000F80000-0x0000000000FEA000-memory.dmp

Filesize
424KB

Download
memory/2420-106-0x0000000001230000-0x000000000129A000-memory.dmp

Filesize
424KB

Download
memory/2476-71-0x0000000000C40000-0x0000000000CAA000-memory.dmp

Filesize
424KB

Download
memory/2508-159-0x0000000000AA0000-0x0000000000B0A000-memory.dmp

Filesize
424KB

Download
memory/2644-18-0x0000000000DC0000-0x0000000000E2A000-memory.dmp

Filesize
424KB

Download
memory/2644-17-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2684-120-0x00000000001A0000-0x000000000020A000-memory.dmp

Filesize
424KB

Download
memory/2684-307-0x0000000001370000-0x00000000013DA000-memory.dmp

Filesize
424KB

Download
memory/2692-113-0x0000000001300000-0x000000000136A000-memory.dmp

Filesize
424KB

Download
memory/2712-299-0x0000000000EE0000-0x0000000000F4A000-memory.dmp

Filesize
424KB

Download
memory/2800-337-0x0000000001030000-0x000000000109A000-memory.dmp

Filesize
424KB

Download
memory/2808-191-0x0000000001140000-0x00000000011AA000-memory.dmp

Filesize
424KB

Download
memory/2808-155-0x0000000000A60000-0x0000000000ACA000-memory.dmp

Filesize
424KB

Download
memory/2832-267-0x0000000000290000-0x00000000002FA000-memory.dmp

Filesize
424KB

Download
memory/2912-78-0x0000000000D60000-0x0000000000DCA000-memory.dmp

Filesize
424KB

Download
memory/2996-322-0x0000000001240000-0x00000000012AA000-memory.dmp

Filesize
424KB

Download