netwire | 36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe
Size

1.6MB
MD5

5abea2f9a0aece3b29fa571b4d15c887
SHA1

d9959bb0087f2c985b603cee0e760f3e0faaab15
SHA256

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4
SHA512

519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

10.59.38.14:2342

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
WindowsUpdate
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
xxwRTjnM
offline_keylogger
true
password
Bigman2017
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 33 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1352-143-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1352-147-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1352-149-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/240-166-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/240-176-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2108-193-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2108-232-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3772-256-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3772-269-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4616-282-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4616-291-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1048-297-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1048-298-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1840-304-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1840-305-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4296-311-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4296-312-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3488-318-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3488-319-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3320-325-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3320-326-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3096-332-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3096-333-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/5000-338-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/5000-340-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4560-346-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4560-347-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1560-353-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/1560-354-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3700-360-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3700-361-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4432-367-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4432-368-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 42 IoCs

Processes:

nTTB.exenTTB.exeHost.exeHost.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exe

pid	process
1872	nTTB.exe
1352	nTTB.exe
1812	Host.exe
240	Host.exe
2992	nTTB.exe
2108	nTTB.exe
1796	nTTB.exe
3092	nTTB.exe
3772	nTTB.exe
3940	nTTB.exe
3812	nTTB.exe
4616	nTTB.exe
4292	nTTB.exe
2760	nTTB.exe
3056	nTTB.exe
1796	nTTB.exe
1048	nTTB.exe
4376	nTTB.exe
4264	nTTB.exe
1840	nTTB.exe
5024	nTTB.exe
4296	nTTB.exe
2756	nTTB.exe
3488	nTTB.exe
1240	nTTB.exe
3320	nTTB.exe
1684	nTTB.exe
3220	nTTB.exe
3096	nTTB.exe
4112	nTTB.exe
5000	nTTB.exe
3352	nTTB.exe
4560	nTTB.exe
2156	nTTB.exe
1560	nTTB.exe
4124	nTTB.exe
3700	nTTB.exe
2396	nTTB.exe
4432	nTTB.exe
1396	nTTB.exe
3472	nTTB.exe
2436	nTTB.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nTTB.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

nTTB.exeHost.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exe

description	pid	process	target process
PID 1872 set thread context of 1352	1872	nTTB.exe	nTTB.exe
PID 1812 set thread context of 240	1812	Host.exe	Host.exe
PID 2992 set thread context of 2108	2992	nTTB.exe	nTTB.exe
PID 1796 set thread context of 3772	1796	nTTB.exe	nTTB.exe
PID 3940 set thread context of 4616	3940	nTTB.exe	nTTB.exe
PID 4292 set thread context of 1048	4292	nTTB.exe	nTTB.exe
PID 4376 set thread context of 1840	4376	nTTB.exe	nTTB.exe
PID 5024 set thread context of 4296	5024	nTTB.exe	nTTB.exe
PID 2756 set thread context of 3488	2756	nTTB.exe	nTTB.exe
PID 1240 set thread context of 3320	1240	nTTB.exe	nTTB.exe
PID 1684 set thread context of 3096	1684	nTTB.exe	nTTB.exe
PID 4112 set thread context of 5000	4112	nTTB.exe	nTTB.exe
PID 3352 set thread context of 4560	3352	nTTB.exe	nTTB.exe
PID 2156 set thread context of 1560	2156	nTTB.exe	nTTB.exe
PID 4124 set thread context of 3700	4124	nTTB.exe	nTTB.exe
PID 2396 set thread context of 4432	2396	nTTB.exe	nTTB.exe
PID 1396 set thread context of 2436	1396	nTTB.exe	nTTB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3960	schtasks.exe
3988	schtasks.exe
3572	schtasks.exe
768	schtasks.exe
4800	schtasks.exe
1516	schtasks.exe
544	schtasks.exe
2688	schtasks.exe
1504	schtasks.exe
5016	schtasks.exe
2408	schtasks.exe
1536	schtasks.exe
1092	schtasks.exe
4008	schtasks.exe
3056	schtasks.exe
460	schtasks.exe
1504	schtasks.exe
4644	schtasks.exe
5072	schtasks.exe
116	schtasks.exe
4708	schtasks.exe
1184	schtasks.exe
2504	schtasks.exe
2760	schtasks.exe
520	schtasks.exe
4284	schtasks.exe
2004	schtasks.exe
1536	schtasks.exe
4156	schtasks.exe
444	schtasks.exe
4192	schtasks.exe
444	schtasks.exe
4380	schtasks.exe
2348	schtasks.exe
4608	schtasks.exe
4756	schtasks.exe
3056	schtasks.exe
368	schtasks.exe
1616	schtasks.exe
3604	schtasks.exe
2452	schtasks.exe
5044	schtasks.exe
808	schtasks.exe
3516	schtasks.exe
692	schtasks.exe
1264	schtasks.exe
3396	schtasks.exe
116	schtasks.exe
4740	schtasks.exe
3092	schtasks.exe
4680	schtasks.exe
4968	schtasks.exe
4316	schtasks.exe
2836	schtasks.exe
3492	schtasks.exe
3980	schtasks.exe
4896	schtasks.exe
1472	schtasks.exe
964	schtasks.exe
4564	schtasks.exe
4280	schtasks.exe
2556	schtasks.exe
2428	schtasks.exe
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exenTTB.exeHost.exenTTB.exe

pid	process
2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe
2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1872	nTTB.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
1812	Host.exe
2992	nTTB.exe
2992	nTTB.exe
1812	Host.exe
2992	nTTB.exe
1812	Host.exe
2992	nTTB.exe
1812	Host.exe
2992	nTTB.exe
1812	Host.exe
2992	nTTB.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exenTTB.exeHost.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exenTTB.exe

description	pid	process
Token: SeDebugPrivilege	2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe
Token: SeDebugPrivilege	1872	nTTB.exe
Token: SeDebugPrivilege	1812	Host.exe
Token: SeDebugPrivilege	2992	nTTB.exe
Token: SeDebugPrivilege	1796	nTTB.exe
Token: SeDebugPrivilege	3940	nTTB.exe
Token: SeDebugPrivilege	4292	nTTB.exe
Token: SeDebugPrivilege	4376	nTTB.exe
Token: SeDebugPrivilege	5024	nTTB.exe
Token: SeDebugPrivilege	2756	nTTB.exe
Token: SeDebugPrivilege	1240	nTTB.exe
Token: SeDebugPrivilege	1684	nTTB.exe
Token: SeDebugPrivilege	4112	nTTB.exe
Token: SeDebugPrivilege	3352	nTTB.exe
Token: SeDebugPrivilege	2156	nTTB.exe
Token: SeDebugPrivilege	4124	nTTB.exe
Token: SeDebugPrivilege	2396	nTTB.exe
Token: SeDebugPrivilege	1396	nTTB.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.execmd.exenTTB.execmd.execmd.execmd.exenTTB.execmd.exeHost.execmd.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 5068	2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe	cmd.exe
PID 2004 wrote to memory of 5068	2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe	cmd.exe
PID 2004 wrote to memory of 5068	2004	36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe	cmd.exe
PID 5068 wrote to memory of 1872	5068	cmd.exe	nTTB.exe
PID 5068 wrote to memory of 1872	5068	cmd.exe	nTTB.exe
PID 5068 wrote to memory of 1872	5068	cmd.exe	nTTB.exe
PID 1872 wrote to memory of 4716	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 4716	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 4716	1872	nTTB.exe	cmd.exe
PID 4716 wrote to memory of 4192	4716	cmd.exe	schtasks.exe
PID 4716 wrote to memory of 4192	4716	cmd.exe	schtasks.exe
PID 4716 wrote to memory of 4192	4716	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 4328	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 4328	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 4328	1872	nTTB.exe	cmd.exe
PID 4328 wrote to memory of 2688	4328	cmd.exe	schtasks.exe
PID 4328 wrote to memory of 2688	4328	cmd.exe	schtasks.exe
PID 4328 wrote to memory of 2688	4328	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 1352	1872	nTTB.exe	nTTB.exe
PID 1872 wrote to memory of 3084	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 3084	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 3084	1872	nTTB.exe	cmd.exe
PID 3084 wrote to memory of 3420	3084	cmd.exe	schtasks.exe
PID 3084 wrote to memory of 3420	3084	cmd.exe	schtasks.exe
PID 3084 wrote to memory of 3420	3084	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 1812	1352	nTTB.exe	Host.exe
PID 1352 wrote to memory of 1812	1352	nTTB.exe	Host.exe
PID 1352 wrote to memory of 1812	1352	nTTB.exe	Host.exe
PID 1872 wrote to memory of 3356	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 3356	1872	nTTB.exe	cmd.exe
PID 1872 wrote to memory of 3356	1872	nTTB.exe	cmd.exe
PID 3356 wrote to memory of 3880	3356	cmd.exe	schtasks.exe
PID 3356 wrote to memory of 3880	3356	cmd.exe	schtasks.exe
PID 3356 wrote to memory of 3880	3356	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 3940	1812	Host.exe	cmd.exe
PID 1812 wrote to memory of 3940	1812	Host.exe	cmd.exe
PID 1812 wrote to memory of 3940	1812	Host.exe	cmd.exe
PID 3940 wrote to memory of 4988	3940	cmd.exe	schtasks.exe
PID 3940 wrote to memory of 4988	3940	cmd.exe	schtasks.exe
PID 3940 wrote to memory of 4988	3940	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 1956	1812	Host.exe	cmd.exe
PID 1812 wrote to memory of 1956	1812	Host.exe	cmd.exe
PID 1812 wrote to memory of 1956	1812	Host.exe	cmd.exe
PID 1956 wrote to memory of 116	1956	cmd.exe	schtasks.exe
PID 1956 wrote to memory of 116	1956	cmd.exe	schtasks.exe
PID 1956 wrote to memory of 116	1956	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 240	1812	Host.exe	Host.exe
PID 1812 wrote to memory of 492	1812	Host.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe
"C:\Users\Admin\AppData\Local\Temp\36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
5⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\442654818.xml"
5⤵
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Roaming\nTTB.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\421550132.xml"
7⤵
- Creates scheduled task(s)
PID:116

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" C:\Users\Admin\AppData\Roaming\nTTB.exe
6⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:492

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\878227765.xml"
7⤵
- Creates scheduled task(s)
PID:2556

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5020

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1852612470.xml"
7⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\379676986.xml"
7⤵
- Creates scheduled task(s)
PID:4800

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4032

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1592868794.xml"
7⤵
- Creates scheduled task(s)
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3812

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4764

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\494476818.xml"
7⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\173871816.xml"
7⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\803807450.xml"
7⤵
- Creates scheduled task(s)
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4824

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\640043539.xml"
7⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4032

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\192691883.xml"
7⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2408

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1944527336.xml"
7⤵
- Creates scheduled task(s)
PID:4608

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3508

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1548879142.xml"
7⤵
- Creates scheduled task(s)
PID:460

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:312

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\914255732.xml"
7⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4328

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\518607538.xml"
7⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\542115381.xml"
7⤵
- Creates scheduled task(s)
PID:2836

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4704

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\94763725.xml"
7⤵
- Creates scheduled task(s)
PID:520

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1846599178.xml"
7⤵
- Creates scheduled task(s)
PID:5044

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1099579093.xml"
7⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3480

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4336

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1542242973.xml"
7⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:116

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1146594779.xml"
7⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4688

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\511971369.xml"
7⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4308

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\116323175.xml"
7⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\139831018.xml"
7⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4076

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1114047610.xml"
7⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4316

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2988

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2095355135.xml"
7⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2228

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2118862978.xml"
7⤵
- Creates scheduled task(s)
PID:444

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4704

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\226771457.xml"
7⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4464

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\243188367.xml"
7⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:456

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1224495892.xml"
7⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3212

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\941244373.xml"
7⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\889877137.xml"
7⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1213053409.xml"
7⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1392

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1604350053.xml"
7⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1468

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\662967281.xml"
7⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3188

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1876159089.xml"
7⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1129139004.xml"
7⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4144

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1990958921.xml"
7⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4936

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3112

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2014466764.xml"
7⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1364

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\541531280.xml"
7⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5016

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4576

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\752310877.xml"
7⤵
- Creates scheduled task(s)
PID:3492

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1127190611.xml"
7⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1384

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\260682918.xml"
7⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4508

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4296

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\396587436.xml"
7⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3068

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\939242.xml"
7⤵
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\675487405.xml"
7⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1305423039.xml"
7⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1905096123.xml"
7⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:964

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1928603966.xml"
7⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1181583881.xml"
7⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2072

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3628

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\247292042.xml"
7⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:652

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1797673875.xml"
7⤵
- Creates scheduled task(s)
PID:4708

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1292

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\743894428.xml"
7⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3492

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3536

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1537930199.xml"
7⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4620

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2944

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1210066151.xml"
7⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4200

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\388170987.xml"
7⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\411678830.xml"
7⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:520

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\435186673.xml"
7⤵
- Creates scheduled task(s)
PID:768

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4560

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\107322625.xml"
7⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4540

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\894267463.xml"
7⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4256

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\147247378.xml"
7⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
5⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\810275506.xml"
5⤵
PID:3880

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:4628

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
6⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\302230637.xml"
6⤵
PID:1428

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
5⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
6⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1866626223.xml"
6⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:3980

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
6⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1044731059.xml"
6⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
6⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:4412

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2026038584.xml"
6⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:4212

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
6⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\508490571.xml"
6⤵
- Creates scheduled task(s)
PID:3056

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3264

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3388

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\225239052.xml"
7⤵
- Creates scheduled task(s)
PID:1184

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
6⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
6⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1063719239.xml"
7⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\316699154.xml"
7⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4348

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\572091280.xml"
7⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
7⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
PID:4292

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\244227232.xml"
7⤵
PID:1668

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
8⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\260644142.xml"
8⤵
PID:3768

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
7⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
7⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
8⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\110893984.xml"
8⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
8⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:4472

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\14914219.xml"
8⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
8⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\382703020.xml"
8⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:4316

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
8⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
"cmd"
7⤵
PID:5064

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1012638654.xml"
8⤵
PID:5072

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:4212

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
9⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:2284

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1649665221.xml"
9⤵
- Creates scheduled task(s)
PID:4896

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
8⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
8⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
8⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
8⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
9⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:4444

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\654512056.xml"
9⤵
- Creates scheduled task(s)
PID:4000

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
9⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:3944

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1635819581.xml"
9⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:384

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
9⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\148870344.xml"
9⤵
PID:4296

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:1860

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
10⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\891202653.xml"
10⤵
- Creates scheduled task(s)
PID:3604

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
9⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
9⤵
- Executes dropped EXE
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:4824

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
10⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1280096140.xml"
10⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:1260

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
10⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1483784804.xml"
10⤵
- Creates scheduled task(s)
PID:3092

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:4996

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
10⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\893773923.xml"
10⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:3628

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
10⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
"cmd"
9⤵
PID:3664

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\146753838.xml"
10⤵
PID:5020

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
11⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:2772

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1868158628.xml"
11⤵
- Creates scheduled task(s)
PID:3988

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
10⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
11⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:1796

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\828392934.xml"
11⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
11⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:2688

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\425653807.xml"
11⤵
- Creates scheduled task(s)
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:2412

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
11⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1406961332.xml"
11⤵
- Creates scheduled task(s)
PID:964

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
11⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
PID:3204

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2036896966.xml"
11⤵
PID:1092

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:4676

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
12⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\226771457.xml"
12⤵
PID:4324

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
11⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
12⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\608574011.xml"
12⤵
- Creates scheduled task(s)
PID:4756

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
12⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\699866000.xml"
12⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:3472

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
12⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\723373843.xml"
12⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:2108

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
12⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
"cmd"
11⤵
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1278434398.xml"
12⤵
PID:2396

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:2284

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
13⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:4660

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\238836817.xml"
13⤵
PID:3768

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
12⤵
- Executes dropped EXE
PID:3320

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
13⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\807911125.xml"
13⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
13⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:3432

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\735439203.xml"
13⤵
- Creates scheduled task(s)
PID:2408

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:1828

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
13⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
PID:2216

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\100815793.xml"
13⤵
- Creates scheduled task(s)
PID:1536

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
14⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:4464

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2039923000.xml"
14⤵
PID:4180

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
13⤵
- Executes dropped EXE
PID:3220

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
13⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:5060

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
14⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1239132522.xml"
14⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:1224

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
14⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:4968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1449912119.xml"
14⤵
- Creates scheduled task(s)
PID:368

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
14⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:1352

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1054263925.xml"
14⤵
- Creates scheduled task(s)
PID:4644

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
14⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
"cmd"
13⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1265043522.xml"
14⤵
PID:2748

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
15⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:1196

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\637511045.xml"
15⤵
- Creates scheduled task(s)
PID:3516

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
14⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
15⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:3752

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\675032641.xml"
15⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
15⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\885812238.xml"
15⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
15⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\490164044.xml"
15⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
15⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\700943641.xml"
15⤵
- Creates scheduled task(s)
PID:3960

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:4432

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
16⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:3160

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1143607521.xml"
16⤵
- Creates scheduled task(s)
PID:2004

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
15⤵
- Executes dropped EXE
PID:4560

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
16⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\530088797.xml"
16⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:484

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
16⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:648

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1504305389.xml"
16⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:308

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
16⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1108657195.xml"
16⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:1004

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
16⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd"
15⤵
PID:1828

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\713009001.xml"
16⤵
- Creates scheduled task(s)
PID:4280

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
17⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\579507640.xml"
17⤵
PID:1616

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
16⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
17⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\916697665.xml"
17⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:696

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
17⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:3580

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1635858357.xml"
17⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
17⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:4964

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\118310344.xml"
17⤵
- Creates scheduled task(s)
PID:4156

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:1272

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
17⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1450989760.xml"
17⤵
PID:3988

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:3944

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
18⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\359688717.xml"
18⤵
PID:4676

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
17⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:3664

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
18⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:4648

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1160647308.xml"
18⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:1828

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
18⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\945179935.xml"
18⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
18⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1926487460.xml"
18⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
18⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
"cmd"
17⤵
PID:4072

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\34395939.xml"
18⤵
- Creates scheduled task(s)
PID:3572

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:3880

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
19⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1022794397.xml"
19⤵
- Creates scheduled task(s)
PID:444

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
18⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
19⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2130512350.xml"
19⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:1272

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
19⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\74320692.xml"
19⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:4792

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
19⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:1808

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\449200426.xml"
19⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:4732

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
19⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1079136060.xml"
19⤵
- Creates scheduled task(s)
PID:4968

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
20⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:3048

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\451603583.xml"
20⤵
- Creates scheduled task(s)
PID:1504

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
19⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Roaming\nTTB.exe
"C:\Users\Admin\AppData\Roaming\nTTB.exe"
19⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:3288

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
20⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1678809144.xml"
20⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
20⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\161261131.xml"
20⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
20⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"cmd"
19⤵
PID:5020

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\536140865.xml"
20⤵
- Creates scheduled task(s)
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nTTB.exe.log
Filesize
319B

MD5
600936e187ce94453648a9245b2b42a5

SHA1
3349e5da3f713259244a2cbcb4a9dca777f637ed

SHA256
1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d

SHA512
d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

Download Submit
C:\Users\Admin\AppData\Local\Temp\1044731059.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1063719239.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\110893984.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\14914219.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1548879142.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1592868794.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\173871816.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1852612470.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1866626223.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\192691883.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\1944527336.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\2026038584.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\225239052.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\244227232.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\260644142.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\302230637.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\316699154.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\379676986.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\421550132.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\442654818.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\494476818.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\508490571.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\572091280.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\640043539.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\803807450.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\810275506.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\878227765.xml
Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
57B

MD5
0026a86d3f3a27021ec05830c0f1ba0a

SHA1
80ca171dc2fd6c9af0270805c6b590b4c0066c91

SHA256
c6caffa24c7f8e70b456822777af2d5b91a080598815a6ac88aa1157417dcd5e

SHA512
5f69756eaada5b912b94492ae7b295681098545d098850fe62ecfc29c406ac1011a4787ec7073e1a33fc16616b7a67cd427454c742cfb785c4e989b09ad4a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt
Filesize
49B

MD5
640a33a646adf08704570aea6b7ac5c5

SHA1
cca3667b22cabb112a8bbe151f9d7dc3263a99a1

SHA256
6d8d2fa926738e6511103062f0f4f769c6a198726df3f2f6544acd50a2bb9d35

SHA512
ae944055a535824024ac6aaa7a67abf45af620129a5db45c7c6b557983d7a878a65dcce9c5812487e89251248df0e7a2227aeb0c76b6129f3505523ccddeda3c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
C:\Users\Admin\AppData\Roaming\nTTB.exe
Filesize
1.6MB

MD5
5abea2f9a0aece3b29fa571b4d15c887

SHA1
d9959bb0087f2c985b603cee0e760f3e0faaab15

SHA256
36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4

SHA512
519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Download Submit
memory/116-160-0x0000000000000000-mapping.dmp

Download
memory/240-176-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/240-166-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/240-162-0x0000000000000000-mapping.dmp

Download
memory/400-209-0x0000000000000000-mapping.dmp

Download
memory/444-179-0x0000000000000000-mapping.dmp

Download
memory/492-167-0x0000000000000000-mapping.dmp

Download
memory/544-224-0x0000000000000000-mapping.dmp

Download
memory/1048-298-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1048-297-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1136-177-0x0000000000000000-mapping.dmp

Download
memory/1184-248-0x0000000000000000-mapping.dmp

Download
memory/1232-194-0x0000000000000000-mapping.dmp

Download
memory/1240-323-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1240-327-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1352-239-0x0000000000000000-mapping.dmp

Download
memory/1352-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1352-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1352-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1352-142-0x0000000000000000-mapping.dmp

Download
memory/1364-204-0x0000000000000000-mapping.dmp

Download
memory/1428-183-0x0000000000000000-mapping.dmp

Download
memory/1516-218-0x0000000000000000-mapping.dmp

Download
memory/1560-354-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1560-353-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1572-191-0x0000000000000000-mapping.dmp

Download
memory/1656-199-0x0000000000000000-mapping.dmp

Download
memory/1660-229-0x0000000000000000-mapping.dmp

Download
memory/1676-228-0x0000000000000000-mapping.dmp

Download
memory/1684-334-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1684-328-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1684-205-0x0000000000000000-mapping.dmp

Download
memory/1796-243-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1796-273-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1796-236-0x0000000000000000-mapping.dmp

Download
memory/1812-233-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1812-168-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1812-150-0x0000000000000000-mapping.dmp

Download
memory/1840-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1840-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1872-138-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1872-172-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1872-132-0x0000000000000000-mapping.dmp

Download
memory/1956-159-0x0000000000000000-mapping.dmp

Download
memory/2004-136-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2004-130-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2108-185-0x0000000000000000-mapping.dmp

Download
memory/2108-193-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2108-232-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2156-349-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2156-355-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2244-189-0x0000000000000000-mapping.dmp

Download
memory/2396-369-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2396-363-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2556-180-0x0000000000000000-mapping.dmp

Download
memory/2688-140-0x0000000000000000-mapping.dmp

Download
memory/2756-320-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2756-314-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2772-200-0x0000000000000000-mapping.dmp

Download
memory/2796-216-0x0000000000000000-mapping.dmp

Download
memory/2832-215-0x0000000000000000-mapping.dmp

Download
memory/2936-198-0x0000000000000000-mapping.dmp

Download
memory/2988-222-0x0000000000000000-mapping.dmp

Download
memory/2992-238-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2992-178-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2992-169-0x0000000000000000-mapping.dmp

Download
memory/3056-230-0x0000000000000000-mapping.dmp

Download
memory/3084-146-0x0000000000000000-mapping.dmp

Download
memory/3096-332-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3096-333-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3264-241-0x0000000000000000-mapping.dmp

Download
memory/3320-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3320-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3352-348-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3352-345-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3356-153-0x0000000000000000-mapping.dmp

Download
memory/3376-173-0x0000000000000000-mapping.dmp

Download
memory/3388-247-0x0000000000000000-mapping.dmp

Download
memory/3420-148-0x0000000000000000-mapping.dmp

Download
memory/3464-206-0x0000000000000000-mapping.dmp

Download
memory/3488-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3488-319-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3700-361-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3700-360-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3772-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3772-256-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3812-235-0x0000000000000000-mapping.dmp

Download
memory/3880-155-0x0000000000000000-mapping.dmp

Download
memory/3940-292-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3940-156-0x0000000000000000-mapping.dmp

Download
memory/3940-274-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3960-210-0x0000000000000000-mapping.dmp

Download
memory/3980-203-0x0000000000000000-mapping.dmp

Download
memory/4032-223-0x0000000000000000-mapping.dmp

Download
memory/4068-211-0x0000000000000000-mapping.dmp

Download
memory/4112-341-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4112-339-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-362-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-356-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4192-137-0x0000000000000000-mapping.dmp

Download
memory/4192-221-0x0000000000000000-mapping.dmp

Download
memory/4212-227-0x0000000000000000-mapping.dmp

Download
memory/4292-299-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4292-293-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4296-312-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4296-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4328-139-0x0000000000000000-mapping.dmp

Download
memory/4376-303-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4376-306-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4412-217-0x0000000000000000-mapping.dmp

Download
memory/4432-368-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4432-367-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4560-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4560-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4608-192-0x0000000000000000-mapping.dmp

Download
memory/4616-282-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4616-291-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4620-245-0x0000000000000000-mapping.dmp

Download
memory/4628-175-0x0000000000000000-mapping.dmp

Download
memory/4716-135-0x0000000000000000-mapping.dmp

Download
memory/4764-242-0x0000000000000000-mapping.dmp

Download
memory/4800-212-0x0000000000000000-mapping.dmp

Download
memory/4988-158-0x0000000000000000-mapping.dmp

Download
memory/5000-340-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5000-181-0x0000000000000000-mapping.dmp

Download
memory/5000-338-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5020-197-0x0000000000000000-mapping.dmp

Download
memory/5024-307-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/5024-313-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/5068-131-0x0000000000000000-mapping.dmp

Download
memory/5080-244-0x0000000000000000-mapping.dmp

Download