Analysis
-
max time kernel
809s -
max time network
808s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 01:28
Static task
static1
1 signatures
General
-
Target
BootstrapperNew.exe
-
Size
3.0MB
-
MD5
f0808c46f3f8beca942c18e5ff0e737e
-
SHA1
f724dd3061a299af90aa55388992a9fc9a20f97b
-
SHA256
f583e11fae8f7eba302fa26cbe93cf42bebd67dca79368ff86f6ec3defca3b06
-
SHA512
52cdba2724bacfcf29f45b9b2b5e92eeb7c187558356ff702e486e4031d62143adbd83a6188e4879623d7c99f5f048f235cfdd2fd97764d9a803f437c2e31fdd
-
SSDEEP
49152:RVerDSYrnhY+89P75F2W7f2IZV0189oBVTBSPLZpwM7hRYkbZJambGlkP6:OD7q+K7X2m/V03TBSPDwMLYkzrGlb
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:5467
google-rocks.gl.at.ply.gg:5467
Attributes
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023d1e-6.dat family_xworm behavioral1/memory/4512-14-0x0000000000480000-0x000000000049A000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3912 powershell.exe 1396 powershell.exe 4660 powershell.exe 5016 powershell.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation BootstrapperNew.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara.exe -
Executes dropped EXE 64 IoCs
pid Process 4512 Solara.exe 5028 Solara.exe 4572 Solara.exe 2788 Solara.exe 5040 Solara.exe 2868 Solara.exe 1800 Solara.exe 1680 Solara.exe 2200 Solara.exe 3952 Solara.exe 2716 Solara.exe 4936 Solara.exe 3680 Solara.exe 1632 Solara.exe 2220 Solara.exe 1232 Solara.exe 1252 Solara.exe 3432 Solara.exe 2924 Solara.exe 2236 Solara.exe 3272 Solara.exe 3004 Solara.exe 3464 Solara.exe 1420 Solara.exe 2824 Solara.exe 1180 Solara.exe 2980 Solara.exe 4576 Solara.exe 1188 Solara.exe 768 Solara.exe 2648 Solara.exe 1516 Solara.exe 2056 Solara.exe 1552 Solara.exe 1644 Solara.exe 4320 Solara.exe 4072 Solara.exe 4336 Solara.exe 728 Solara.exe 264 Solara.exe 2568 Solara.exe 1952 Solara.exe 412 Solara.exe 4680 Solara.exe 4272 Solara.exe 3236 Solara.exe 1712 Solara.exe 1252 Solara.exe 2784 Solara.exe 4020 Solara.exe 4756 Solara.exe 4212 Solara.exe 4808 Solara.exe 3368 Solara.exe 2900 Solara.exe 4832 Solara.exe 2644 Solara.exe 3968 Solara.exe 4804 Solara.exe 1176 Solara.exe 4912 Solara.exe 3296 Solara.exe 3364 Solara.exe 4492 Solara.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 powershell.exe 5016 powershell.exe 5016 powershell.exe 3912 powershell.exe 3912 powershell.exe 3912 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 4660 powershell.exe 4660 powershell.exe 4660 powershell.exe 4512 Solara.exe 4512 Solara.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3856 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4512 Solara.exe Token: SeDebugPrivilege 5028 Solara.exe Token: SeDebugPrivilege 4572 Solara.exe Token: SeDebugPrivilege 2788 Solara.exe Token: SeDebugPrivilege 5040 Solara.exe Token: SeDebugPrivilege 2868 Solara.exe Token: SeDebugPrivilege 1800 Solara.exe Token: SeDebugPrivilege 1680 Solara.exe Token: SeDebugPrivilege 2200 Solara.exe Token: SeDebugPrivilege 3952 Solara.exe Token: SeDebugPrivilege 2716 Solara.exe Token: SeDebugPrivilege 4936 Solara.exe Token: SeDebugPrivilege 3680 Solara.exe Token: SeDebugPrivilege 1632 Solara.exe Token: SeDebugPrivilege 2220 Solara.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 1232 Solara.exe Token: SeDebugPrivilege 1252 Solara.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 3432 Solara.exe Token: SeDebugPrivilege 2924 Solara.exe Token: SeDebugPrivilege 2236 Solara.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 3272 Solara.exe Token: SeDebugPrivilege 3004 Solara.exe Token: SeDebugPrivilege 3464 Solara.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 1420 Solara.exe Token: SeDebugPrivilege 2824 Solara.exe Token: SeDebugPrivilege 1180 Solara.exe Token: SeDebugPrivilege 2980 Solara.exe Token: SeDebugPrivilege 4576 Solara.exe Token: SeDebugPrivilege 1188 Solara.exe Token: SeDebugPrivilege 768 Solara.exe Token: SeDebugPrivilege 2648 Solara.exe Token: SeDebugPrivilege 1516 Solara.exe Token: SeDebugPrivilege 4512 Solara.exe Token: SeDebugPrivilege 2056 Solara.exe Token: SeDebugPrivilege 1552 Solara.exe Token: SeDebugPrivilege 1644 Solara.exe Token: SeDebugPrivilege 4320 Solara.exe Token: SeDebugPrivilege 4072 Solara.exe Token: SeDebugPrivilege 4336 Solara.exe Token: SeDebugPrivilege 728 Solara.exe Token: SeDebugPrivilege 264 Solara.exe Token: SeDebugPrivilege 2568 Solara.exe Token: SeDebugPrivilege 1952 Solara.exe Token: SeDebugPrivilege 412 Solara.exe Token: SeDebugPrivilege 4680 Solara.exe Token: SeDebugPrivilege 4272 Solara.exe Token: SeDebugPrivilege 3236 Solara.exe Token: SeDebugPrivilege 1712 Solara.exe Token: SeDebugPrivilege 1252 Solara.exe Token: SeDebugPrivilege 2784 Solara.exe Token: SeDebugPrivilege 4020 Solara.exe Token: SeDebugPrivilege 4756 Solara.exe Token: SeDebugPrivilege 4212 Solara.exe Token: SeDebugPrivilege 4808 Solara.exe Token: SeDebugPrivilege 3368 Solara.exe Token: SeDebugPrivilege 2900 Solara.exe Token: SeDebugPrivilege 4832 Solara.exe Token: SeDebugPrivilege 2644 Solara.exe Token: SeDebugPrivilege 3968 Solara.exe Token: SeDebugPrivilege 4804 Solara.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe 3856 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4512 Solara.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5016 wrote to memory of 644 5016 BootstrapperNew.exe 87 PID 5016 wrote to memory of 644 5016 BootstrapperNew.exe 87 PID 5016 wrote to memory of 4512 5016 BootstrapperNew.exe 88 PID 5016 wrote to memory of 4512 5016 BootstrapperNew.exe 88 PID 644 wrote to memory of 3272 644 BootstrapperNew.exe 90 PID 644 wrote to memory of 3272 644 BootstrapperNew.exe 90 PID 644 wrote to memory of 5028 644 BootstrapperNew.exe 91 PID 644 wrote to memory of 5028 644 BootstrapperNew.exe 91 PID 3272 wrote to memory of 4756 3272 BootstrapperNew.exe 93 PID 3272 wrote to memory of 4756 3272 BootstrapperNew.exe 93 PID 3272 wrote to memory of 4572 3272 BootstrapperNew.exe 94 PID 3272 wrote to memory of 4572 3272 BootstrapperNew.exe 94 PID 4756 wrote to memory of 3236 4756 BootstrapperNew.exe 95 PID 4756 wrote to memory of 3236 4756 BootstrapperNew.exe 95 PID 4756 wrote to memory of 2788 4756 BootstrapperNew.exe 96 PID 4756 wrote to memory of 2788 4756 BootstrapperNew.exe 96 PID 3236 wrote to memory of 3228 3236 BootstrapperNew.exe 98 PID 3236 wrote to memory of 3228 3236 BootstrapperNew.exe 98 PID 3236 wrote to memory of 5040 3236 BootstrapperNew.exe 99 PID 3236 wrote to memory of 5040 3236 BootstrapperNew.exe 99 PID 3228 wrote to memory of 3728 3228 BootstrapperNew.exe 101 PID 3228 wrote to memory of 3728 3228 BootstrapperNew.exe 101 PID 3228 wrote to memory of 2868 3228 BootstrapperNew.exe 102 PID 3228 wrote to memory of 2868 3228 BootstrapperNew.exe 102 PID 3728 wrote to memory of 1580 3728 BootstrapperNew.exe 103 PID 3728 wrote to memory of 1580 3728 BootstrapperNew.exe 103 PID 3728 wrote to memory of 1800 3728 BootstrapperNew.exe 104 PID 3728 wrote to memory of 1800 3728 BootstrapperNew.exe 104 PID 1580 wrote to memory of 2340 1580 BootstrapperNew.exe 105 PID 1580 wrote to memory of 2340 1580 BootstrapperNew.exe 105 PID 1580 wrote to memory of 1680 1580 BootstrapperNew.exe 106 PID 1580 wrote to memory of 1680 1580 BootstrapperNew.exe 106 PID 2340 wrote to memory of 4400 2340 BootstrapperNew.exe 107 PID 2340 wrote to memory of 4400 2340 BootstrapperNew.exe 107 PID 2340 wrote to memory of 2200 2340 BootstrapperNew.exe 108 PID 2340 wrote to memory of 2200 2340 BootstrapperNew.exe 108 PID 4400 wrote to memory of 4948 4400 BootstrapperNew.exe 109 PID 4400 wrote to memory of 4948 4400 BootstrapperNew.exe 109 PID 4400 wrote to memory of 3952 4400 BootstrapperNew.exe 110 PID 4400 wrote to memory of 3952 4400 BootstrapperNew.exe 110 PID 4948 wrote to memory of 1932 4948 BootstrapperNew.exe 111 PID 4948 wrote to memory of 1932 4948 BootstrapperNew.exe 111 PID 4948 wrote to memory of 2716 4948 BootstrapperNew.exe 112 PID 4948 wrote to memory of 2716 4948 BootstrapperNew.exe 112 PID 1932 wrote to memory of 1184 1932 BootstrapperNew.exe 113 PID 1932 wrote to memory of 1184 1932 BootstrapperNew.exe 113 PID 1932 wrote to memory of 4936 1932 BootstrapperNew.exe 114 PID 1932 wrote to memory of 4936 1932 BootstrapperNew.exe 114 PID 1184 wrote to memory of 3088 1184 BootstrapperNew.exe 115 PID 1184 wrote to memory of 3088 1184 BootstrapperNew.exe 115 PID 1184 wrote to memory of 3680 1184 BootstrapperNew.exe 116 PID 1184 wrote to memory of 3680 1184 BootstrapperNew.exe 116 PID 3088 wrote to memory of 3284 3088 BootstrapperNew.exe 117 PID 3088 wrote to memory of 3284 3088 BootstrapperNew.exe 117 PID 3088 wrote to memory of 1632 3088 BootstrapperNew.exe 118 PID 3088 wrote to memory of 1632 3088 BootstrapperNew.exe 118 PID 4512 wrote to memory of 5016 4512 Solara.exe 120 PID 4512 wrote to memory of 5016 4512 Solara.exe 120 PID 3284 wrote to memory of 2552 3284 BootstrapperNew.exe 119 PID 3284 wrote to memory of 2552 3284 BootstrapperNew.exe 119 PID 3284 wrote to memory of 2220 3284 BootstrapperNew.exe 121 PID 3284 wrote to memory of 2220 3284 BootstrapperNew.exe 121 PID 2552 wrote to memory of 3484 2552 BootstrapperNew.exe 123 PID 2552 wrote to memory of 3484 2552 BootstrapperNew.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"9⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"10⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"11⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"13⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"14⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"15⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"16⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"17⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"18⤵
- Checks computer location settings
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"19⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"20⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"21⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"22⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"23⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"24⤵
- Checks computer location settings
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"25⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"26⤵
- Checks computer location settings
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"27⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"28⤵
- Checks computer location settings
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"29⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"30⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"31⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"32⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"33⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"34⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"35⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"36⤵
- Checks computer location settings
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"37⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"38⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"39⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"40⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"41⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"42⤵
- Checks computer location settings
PID:428 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"43⤵
- Checks computer location settings
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"44⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"45⤵
- Checks computer location settings
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"46⤵
- Checks computer location settings
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"47⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"48⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"49⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"50⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"51⤵
- Checks computer location settings
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"52⤵
- Checks computer location settings
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"53⤵
- Checks computer location settings
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"54⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"55⤵
- Checks computer location settings
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"56⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"57⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"58⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"59⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"60⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"61⤵
- Checks computer location settings
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"62⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"63⤵
- Checks computer location settings
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"64⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"65⤵
- Checks computer location settings
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"66⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"67⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"68⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"69⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"70⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"71⤵
- Checks computer location settings
PID:976 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"72⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"73⤵
- Checks computer location settings
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"74⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"75⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"76⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"77⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"78⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"79⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"80⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"81⤵
- Checks computer location settings
PID:888 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"82⤵
- Checks computer location settings
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"83⤵
- Checks computer location settings
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"84⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"85⤵
- Checks computer location settings
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"86⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"87⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"88⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"89⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"90⤵
- Checks computer location settings
PID:436 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"91⤵
- Checks computer location settings
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"92⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"93⤵
- Checks computer location settings
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"94⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"95⤵
- Checks computer location settings
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"96⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"97⤵
- Checks computer location settings
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"98⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"99⤵
- Checks computer location settings
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"100⤵
- Checks computer location settings
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"101⤵
- Checks computer location settings
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"102⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"103⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"104⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"105⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"106⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"107⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"108⤵
- Checks computer location settings
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"109⤵
- Checks computer location settings
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"110⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"111⤵
- Checks computer location settings
PID:888 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"112⤵
- Checks computer location settings
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"113⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"114⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"115⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"116⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"117⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"118⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"119⤵
- Checks computer location settings
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"120⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"121⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-