bitrat | 55abb5f587ab4e89fd3c44e94682a6eabfaf81329048588d17266d4527846478

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
Size

9.2MB
MD5

d00027e602f2de9ec97d21c30f3cc8ca
SHA1

5dd590a717b4ba755da315cb1daad08915195436
SHA256

55abb5f587ab4e89fd3c44e94682a6eabfaf81329048588d17266d4527846478
SHA512

29f6a935131a1a7790a5dccfde27ab697d4fe068e97ed7c63cbd11f0f3326569b09f951bbc2d9747bd6d36184c4684b0894a138110ccf0e1af53c6514130bff1
SSDEEP

196608:gHyHu9V2Lh2xwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQp4xtw3iFFrS6XofTV73G:gSO922xwZ6v1CPwDv3uFteg2EeJUO9Wp

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.33

jfxmgnxcvwtqwbxz2zb536al6p45fxtparbbppbflzrpaqxajzav6hqd.onion:80

Attributes

communication_password
5ffc3746012bb1139c6bf49107694c1a
install_dir
NvContainers
install_file
nvgwlss.exe
tor_process
NVDisplayContai

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x001100000002434f-19.dat	acprotect
behavioral2/files/0x000d000000024353-23.dat	acprotect
behavioral2/files/0x000f000000024352-21.dat	acprotect
behavioral2/files/0x0011000000024350-22.dat	acprotect
behavioral2/files/0x0007000000024356-32.dat	acprotect
behavioral2/files/0x000f000000024351-30.dat	acprotect
behavioral2/files/0x0007000000024354-28.dat	acprotect

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nvgwlss.exe

Executes dropped EXE 50 IoCs

pid	Process
5404	NVDisplayContai.exe
5468	NVDisplayContai.exe
4540	nvgwlss.exe
5276	nvgwlss.exe
5792	NVDisplayContai.exe
396	NVDisplayContai.exe
5340	NVDisplayContai.exe
4308	nvgwlss.exe
3976	nvgwlss.exe
2708	NVDisplayContai.exe
5400	NVDisplayContai.exe
772	NVDisplayContai.exe
4968	nvgwlss.exe
4604	nvgwlss.exe
5516	NVDisplayContai.exe
464	NVDisplayContai.exe
5000	NVDisplayContai.exe
4792	NVDisplayContai.exe
5560	nvgwlss.exe
224	NVDisplayContai.exe
3612	nvgwlss.exe
3588	NVDisplayContai.exe
3524	nvgwlss.exe
3976	nvgwlss.exe
4568	NVDisplayContai.exe
940	NVDisplayContai.exe
5016	NVDisplayContai.exe
2712	nvgwlss.exe
4028	NVDisplayContai.exe
1460	nvgwlss.exe
2348	NVDisplayContai.exe
624	NVDisplayContai.exe
700	NVDisplayContai.exe
4568	nvgwlss.exe
3508	NVDisplayContai.exe
5712	nvgwlss.exe
5404	NVDisplayContai.exe
4612	NVDisplayContai.exe
3324	nvgwlss.exe
3952	NVDisplayContai.exe
5792	nvgwlss.exe
3000	NVDisplayContai.exe
4480	NVDisplayContai.exe
1072	nvgwlss.exe
4740	NVDisplayContai.exe
4308	nvgwlss.exe
5648	NVDisplayContai.exe
4356	nvgwlss.exe
3980	NVDisplayContai.exe
4148	nvgwlss.exe

Loads dropped DLL 64 IoCs

pid	Process
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5404	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5468	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
5792	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
396	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
5340	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
2708	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
5400	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
772	NVDisplayContai.exe
464	NVDisplayContai.exe
464	NVDisplayContai.exe
5516	NVDisplayContai.exe
5516	NVDisplayContai.exe
464	NVDisplayContai.exe
464	NVDisplayContai.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvgwlss = "C:\\Users\\Admin\\AppData\\Local\\NvContainers\\nvgwlss.exe"	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
149	myexternalip.com
150	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
5704	nvgwlss.exe
4540	nvgwlss.exe
5276	nvgwlss.exe
4308	nvgwlss.exe
3976	nvgwlss.exe
4968	nvgwlss.exe
4604	nvgwlss.exe
5560	nvgwlss.exe
3612	nvgwlss.exe
3524	nvgwlss.exe
3976	nvgwlss.exe
2712	nvgwlss.exe
1460	nvgwlss.exe
4568	nvgwlss.exe
5712	nvgwlss.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
3324	nvgwlss.exe
5792	nvgwlss.exe
1072	nvgwlss.exe
4308	nvgwlss.exe
4356	nvgwlss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4952-0-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/files/0x0007000000024355-14.dat	upx
behavioral2/memory/5404-17-0x0000000000E00000-0x0000000001204000-memory.dmp	upx
behavioral2/files/0x001100000002434f-19.dat	upx
behavioral2/files/0x000d000000024353-23.dat	upx
behavioral2/files/0x000f000000024352-21.dat	upx
behavioral2/files/0x0011000000024350-22.dat	upx
behavioral2/memory/5404-42-0x0000000073420000-0x0000000073444000-memory.dmp	upx
behavioral2/memory/5404-43-0x00000000735F0000-0x0000000073639000-memory.dmp	upx
behavioral2/memory/5404-41-0x0000000073560000-0x00000000735E8000-memory.dmp	upx
behavioral2/memory/5404-40-0x0000000073640000-0x000000007370E000-memory.dmp	upx
behavioral2/memory/5404-39-0x0000000073150000-0x000000007341F000-memory.dmp	upx
behavioral2/memory/5404-37-0x0000000073450000-0x000000007355A000-memory.dmp	upx
behavioral2/files/0x0007000000024356-32.dat	upx
behavioral2/memory/5404-31-0x0000000073710000-0x00000000737D8000-memory.dmp	upx
behavioral2/files/0x000f000000024351-30.dat	upx
behavioral2/files/0x0007000000024354-28.dat	upx
behavioral2/memory/4952-47-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5704-48-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5404-49-0x0000000000E00000-0x0000000001204000-memory.dmp	upx
behavioral2/memory/5404-51-0x0000000073710000-0x00000000737D8000-memory.dmp	upx
behavioral2/memory/5404-53-0x0000000073450000-0x000000007355A000-memory.dmp	upx
behavioral2/memory/5404-55-0x0000000073150000-0x000000007341F000-memory.dmp	upx
behavioral2/memory/5404-57-0x0000000000E00000-0x0000000001204000-memory.dmp	upx
behavioral2/memory/5404-65-0x0000000073640000-0x000000007370E000-memory.dmp	upx
behavioral2/memory/5468-83-0x0000000073370000-0x000000007343E000-memory.dmp	upx
behavioral2/memory/5468-82-0x0000000073150000-0x00000000731D8000-memory.dmp	upx
behavioral2/memory/5468-81-0x00000000731E0000-0x00000000732EA000-memory.dmp	upx
behavioral2/memory/5468-80-0x00000000732F0000-0x0000000073314000-memory.dmp	upx
behavioral2/memory/5468-79-0x0000000073320000-0x0000000073369000-memory.dmp	upx
behavioral2/memory/5468-78-0x0000000073440000-0x0000000073508000-memory.dmp	upx
behavioral2/memory/5468-77-0x0000000073510000-0x00000000737DF000-memory.dmp	upx
behavioral2/files/0x0007000000024343-86.dat	upx
behavioral2/memory/4540-87-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5704-90-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/4952-91-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5704-92-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5468-104-0x0000000073440000-0x0000000073508000-memory.dmp	upx
behavioral2/memory/5468-102-0x0000000073370000-0x000000007343E000-memory.dmp	upx
behavioral2/memory/5468-105-0x0000000000E00000-0x0000000001204000-memory.dmp	upx
behavioral2/memory/5468-103-0x0000000073510000-0x00000000737DF000-memory.dmp	upx
behavioral2/memory/5276-109-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5792-129-0x0000000073150000-0x000000007321E000-memory.dmp	upx
behavioral2/memory/4540-130-0x0000000000400000-0x0000000001019000-memory.dmp	upx
behavioral2/memory/5792-128-0x0000000073220000-0x00000000732A8000-memory.dmp	upx
behavioral2/memory/5792-127-0x00000000732B0000-0x00000000733BA000-memory.dmp	upx
behavioral2/memory/5792-126-0x00000000733C0000-0x00000000733E4000-memory.dmp	upx
behavioral2/memory/5792-125-0x00000000733F0000-0x0000000073439000-memory.dmp	upx
behavioral2/memory/5792-124-0x0000000073440000-0x0000000073508000-memory.dmp	upx
behavioral2/memory/5792-123-0x0000000073510000-0x00000000737DF000-memory.dmp	upx
behavioral2/memory/396-150-0x0000000073220000-0x00000000732A8000-memory.dmp	upx
behavioral2/memory/396-149-0x00000000732B0000-0x00000000733BA000-memory.dmp	upx
behavioral2/memory/396-148-0x00000000733C0000-0x00000000733E4000-memory.dmp	upx
behavioral2/memory/396-147-0x00000000733F0000-0x0000000073439000-memory.dmp	upx
behavioral2/memory/396-146-0x0000000073150000-0x000000007321E000-memory.dmp	upx
behavioral2/memory/396-145-0x0000000073440000-0x0000000073508000-memory.dmp	upx
behavioral2/memory/396-144-0x0000000073510000-0x00000000737DF000-memory.dmp	upx
behavioral2/memory/396-143-0x0000000000E00000-0x0000000001204000-memory.dmp	upx
behavioral2/memory/396-158-0x0000000073220000-0x00000000732A8000-memory.dmp	upx
behavioral2/memory/396-164-0x00000000733C0000-0x00000000733E4000-memory.dmp	upx
behavioral2/memory/396-163-0x00000000733F0000-0x0000000073439000-memory.dmp	upx
behavioral2/memory/396-162-0x0000000073150000-0x000000007321E000-memory.dmp	upx
behavioral2/memory/396-161-0x0000000073440000-0x0000000073508000-memory.dmp	upx
behavioral2/memory/396-160-0x0000000073510000-0x00000000737DF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
6076	4952	WerFault.exe	84
4500	4952	WerFault.exe	84
4620	4952	WerFault.exe	84
4736	4952	WerFault.exe	84
4820	4952	WerFault.exe	84
3844	4952	WerFault.exe	84
1072	4952	WerFault.exe	84
5212	4952	WerFault.exe	84
4592	4952	WerFault.exe	84
1208	4952	WerFault.exe	84
5792	4952	WerFault.exe	84
2620	4952	WerFault.exe	84
5508	5704	WerFault.exe	122
5864	4952	WerFault.exe	84
396	4952	WerFault.exe	84
3396	4952	WerFault.exe	84
3644	4952	WerFault.exe	84
904	4952	WerFault.exe	84
1736	4952	WerFault.exe	84
1948	4952	WerFault.exe	84
5520	5704	WerFault.exe	122
6100	5704	WerFault.exe	122
5624	5704	WerFault.exe	122
868	5704	WerFault.exe	122
1588	5704	WerFault.exe	122
976	5704	WerFault.exe	122
3716	5704	WerFault.exe	122
3012	5704	WerFault.exe	122
4396	5704	WerFault.exe	122
5752	5704	WerFault.exe	122
4792	4540	WerFault.exe	163
5740	4540	WerFault.exe	163
4852	5704	WerFault.exe	122
2400	4540	WerFault.exe	163
4156	4540	WerFault.exe	163
4912	4540	WerFault.exe	163
3652	4540	WerFault.exe	163
5664	5276	WerFault.exe	179
1904	4540	WerFault.exe	163
1888	4540	WerFault.exe	163
3168	4540	WerFault.exe	163
5824	4540	WerFault.exe	163
5508	4540	WerFault.exe	163
1364	4540	WerFault.exe	163
3924	5276	WerFault.exe	179
5116	5276	WerFault.exe	179
2752	5276	WerFault.exe	179
780	5276	WerFault.exe	179
2240	5276	WerFault.exe	179
1772	5276	WerFault.exe	179
5924	5276	WerFault.exe	179
3968	5276	WerFault.exe	179
4928	5276	WerFault.exe	179
3656	5276	WerFault.exe	179
4396	4540	WerFault.exe	163
4764	4308	WerFault.exe	224
5740	4952	WerFault.exe	84
4076	4952	WerFault.exe	84
3936	5276	WerFault.exe	179
4432	4308	WerFault.exe	224
5664	4308	WerFault.exe	224
1496	4308	WerFault.exe	224
2252	4308	WerFault.exe	224
3544	4308	WerFault.exe	224

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvgwlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVDisplayContai.exe

Suspicious behavior: RenamesItself 21 IoCs

pid	Process
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
Token: SeShutdownPrivilege	5704	nvgwlss.exe
Token: SeShutdownPrivilege	4540	nvgwlss.exe
Token: SeShutdownPrivilege	5276	nvgwlss.exe
Token: SeShutdownPrivilege	4308	nvgwlss.exe
Token: SeShutdownPrivilege	3976	nvgwlss.exe
Token: SeShutdownPrivilege	4968	nvgwlss.exe
Token: SeShutdownPrivilege	4604	nvgwlss.exe
Token: SeShutdownPrivilege	5560	nvgwlss.exe
Token: SeShutdownPrivilege	3612	nvgwlss.exe
Token: SeShutdownPrivilege	3524	nvgwlss.exe
Token: SeShutdownPrivilege	3976	nvgwlss.exe
Token: SeShutdownPrivilege	2712	nvgwlss.exe
Token: SeShutdownPrivilege	1460	nvgwlss.exe
Token: SeShutdownPrivilege	4568	nvgwlss.exe
Token: SeShutdownPrivilege	5712	nvgwlss.exe
Token: SeShutdownPrivilege	3324	nvgwlss.exe
Token: SeShutdownPrivilege	5792	nvgwlss.exe
Token: SeShutdownPrivilege	1072	nvgwlss.exe
Token: SeShutdownPrivilege	4308	nvgwlss.exe
Token: SeShutdownPrivilege	4356	nvgwlss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 5404	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	115
PID 4952 wrote to memory of 5404	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	115
PID 4952 wrote to memory of 5404	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	115
PID 2376 wrote to memory of 5704	2376	cmd.exe	122
PID 2376 wrote to memory of 5704	2376	cmd.exe	122
PID 2376 wrote to memory of 5704	2376	cmd.exe	122
PID 5704 wrote to memory of 5468	5704	nvgwlss.exe	160
PID 5704 wrote to memory of 5468	5704	nvgwlss.exe	160
PID 5704 wrote to memory of 5468	5704	nvgwlss.exe	160
PID 4924 wrote to memory of 4540	4924	cmd.exe	163
PID 4924 wrote to memory of 4540	4924	cmd.exe	163
PID 4924 wrote to memory of 4540	4924	cmd.exe	163
PID 5976 wrote to memory of 5276	5976	cmd.exe	179
PID 5976 wrote to memory of 5276	5976	cmd.exe	179
PID 5976 wrote to memory of 5276	5976	cmd.exe	179
PID 4952 wrote to memory of 5792	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	183
PID 4952 wrote to memory of 5792	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	183
PID 4952 wrote to memory of 5792	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	183
PID 4540 wrote to memory of 396	4540	nvgwlss.exe	196
PID 4540 wrote to memory of 396	4540	nvgwlss.exe	196
PID 4540 wrote to memory of 396	4540	nvgwlss.exe	196
PID 5276 wrote to memory of 5340	5276	nvgwlss.exe	218
PID 5276 wrote to memory of 5340	5276	nvgwlss.exe	218
PID 5276 wrote to memory of 5340	5276	nvgwlss.exe	218
PID 4500 wrote to memory of 4308	4500	cmd.exe	224
PID 4500 wrote to memory of 4308	4500	cmd.exe	224
PID 4500 wrote to memory of 4308	4500	cmd.exe	224
PID 4308 wrote to memory of 2708	4308	nvgwlss.exe	257
PID 4308 wrote to memory of 2708	4308	nvgwlss.exe	257
PID 4308 wrote to memory of 2708	4308	nvgwlss.exe	257
PID 2728 wrote to memory of 3976	2728	cmd.exe	258
PID 2728 wrote to memory of 3976	2728	cmd.exe	258
PID 2728 wrote to memory of 3976	2728	cmd.exe	258
PID 4952 wrote to memory of 5400	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	261
PID 4952 wrote to memory of 5400	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	261
PID 4952 wrote to memory of 5400	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	261
PID 3976 wrote to memory of 772	3976	nvgwlss.exe	288
PID 3976 wrote to memory of 772	3976	nvgwlss.exe	288
PID 3976 wrote to memory of 772	3976	nvgwlss.exe	288
PID 5584 wrote to memory of 4968	5584	cmd.exe	291
PID 5584 wrote to memory of 4968	5584	cmd.exe	291
PID 5584 wrote to memory of 4968	5584	cmd.exe	291
PID 1316 wrote to memory of 4604	1316	cmd.exe	315
PID 1316 wrote to memory of 4604	1316	cmd.exe	315
PID 1316 wrote to memory of 4604	1316	cmd.exe	315
PID 4952 wrote to memory of 464	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	321
PID 4952 wrote to memory of 464	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	321
PID 4952 wrote to memory of 464	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	321
PID 4968 wrote to memory of 5516	4968	nvgwlss.exe	322
PID 4968 wrote to memory of 5516	4968	nvgwlss.exe	322
PID 4968 wrote to memory of 5516	4968	nvgwlss.exe	322
PID 4952 wrote to memory of 5000	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	323
PID 4952 wrote to memory of 5000	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	323
PID 4952 wrote to memory of 5000	4952	2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe	323
PID 4604 wrote to memory of 4792	4604	nvgwlss.exe	344
PID 4604 wrote to memory of 4792	4604	nvgwlss.exe	344
PID 4604 wrote to memory of 4792	4604	nvgwlss.exe	344
PID 3016 wrote to memory of 5560	3016	cmd.exe	351
PID 3016 wrote to memory of 5560	3016	cmd.exe	351
PID 3016 wrote to memory of 5560	3016	cmd.exe	351
PID 5560 wrote to memory of 224	5560	nvgwlss.exe	374
PID 5560 wrote to memory of 224	5560	nvgwlss.exe	374
PID 5560 wrote to memory of 224	5560	nvgwlss.exe	374
PID 5436 wrote to memory of 3612	5436	cmd.exe	377

C:\Users\Admin\AppData\Local\Temp\2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-27_d00027e602f2de9ec97d21c30f3cc8ca_bitrat_black-basta_coinminer_luca-stealer.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 192
  2⤵
  - Program crash
  PID:6076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 540
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 372
  2⤵
  - Program crash
  PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 912
  2⤵
  - Program crash
  PID:4736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 908
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1232
  2⤵
  - Program crash
  PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1272
  2⤵
  - Program crash
  PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1300
  2⤵
  - Program crash
  PID:5212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1336
  2⤵
  - Program crash
  PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1336
  2⤵
  - Program crash
  PID:1208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1404
  2⤵
  - Program crash
  PID:5792
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1536
  2⤵
  - Program crash
  PID:2620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1548
  2⤵
  - Program crash
  PID:5864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1644
  2⤵
  - Program crash
  PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1632
  2⤵
  - Program crash
  PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1664
  2⤵
  - Program crash
  PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1552
  2⤵
  - Program crash
  PID:904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1672
  2⤵
  - Program crash
  PID:1736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1632
  2⤵
  - Program crash
  PID:1948
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1696
  2⤵
  - Program crash
  PID:5740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1688
  2⤵
  - Program crash
  PID:4076
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5400
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1756
  2⤵
  PID:4300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1772
  2⤵
  PID:4476
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:940
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:624
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1368
  2⤵
  PID:888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1800
  2⤵
  PID:4588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1792
  2⤵
  PID:6008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1904
  2⤵
  PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2384
  2⤵
  PID:5436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2448
  2⤵
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2652
  2⤵
  PID:6136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2480
  2⤵
  PID:1588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2484
  2⤵
  PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2448
  2⤵
  PID:904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2468
  2⤵
  PID:2540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2696
  2⤵
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2668
  2⤵
  PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1652
  2⤵
  PID:5796
- C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
  "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4952 -ip 4952
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4952 -ip 4952
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4952 -ip 4952
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4952 -ip 4952
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4952 -ip 4952
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4952 -ip 4952
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4952 -ip 4952
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4952 -ip 4952
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4952 -ip 4952
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4952 -ip 4952
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4952 -ip 4952
1⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 220
    3⤵
    - Program crash
    PID:5508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 532
    3⤵
    - Program crash
    PID:5520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 676
    3⤵
    - Program crash
    PID:6100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 768
    3⤵
    - Program crash
    PID:5624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 764
    3⤵
    - Program crash
    PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1320
    3⤵
    - Program crash
    PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1376
    3⤵
    - Program crash
    PID:976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1368
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1396
    3⤵
    - Program crash
    PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1436
    3⤵
    - Program crash
    PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1428
    3⤵
    - Program crash
    PID:5752
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 84
    3⤵
    - Program crash
    PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4952 -ip 4952
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5704 -ip 5704
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4952 -ip 4952
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4952 -ip 4952
1⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4952 -ip 4952
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4952 -ip 4952
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4952 -ip 4952
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4952 -ip 4952
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5704 -ip 5704
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5704 -ip 5704
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5704 -ip 5704
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5704 -ip 5704
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5704 -ip 5704
1⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5704 -ip 5704
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5704 -ip 5704
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5704 -ip 5704
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5704 -ip 5704
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5704 -ip 5704
1⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 184
    3⤵
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 504
    3⤵
    - Program crash
    PID:5740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 872
    3⤵
    - Program crash
    PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 880
    3⤵
    - Program crash
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 868
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 880
    3⤵
    - Program crash
    PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1292
    3⤵
    - Program crash
    PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1332
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1292
    3⤵
    - Program crash
    PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1372
    3⤵
    - Program crash
    PID:5824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1360
    3⤵
    - Program crash
    PID:5508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1408
    3⤵
    - Program crash
    PID:1364
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 84
    3⤵
    - Program crash
    PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4540 -ip 4540
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4540 -ip 4540
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5704 -ip 5704
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4540 -ip 4540
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4540 -ip 4540
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4540 -ip 4540
1⤵
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5976
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 184
    3⤵
    - Program crash
    PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 504
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 892
    3⤵
    - Program crash
    PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 908
    3⤵
    - Program crash
    PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 920
    3⤵
    - Program crash
    PID:780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1276
    3⤵
    - Program crash
    PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1344
    3⤵
    - Program crash
    PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
    3⤵
    - Program crash
    PID:5924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1376
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1356
    3⤵
    - Program crash
    PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1384
    3⤵
    - Program crash
    PID:3656
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 88
    3⤵
    - Program crash
    PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4540 -ip 4540
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5276 -ip 5276
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4540 -ip 4540
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4540 -ip 4540
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4540 -ip 4540
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4540 -ip 4540
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4540 -ip 4540
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4540 -ip 4540
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5276 -ip 5276
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5276 -ip 5276
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5276 -ip 5276
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5276 -ip 5276
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5276 -ip 5276
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5276 -ip 5276
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5276 -ip 5276
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5276 -ip 5276
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5276 -ip 5276
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5276 -ip 5276
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4540 -ip 4540
1⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 184
    3⤵
    - Program crash
    PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 504
    3⤵
    - Program crash
    PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 872
    3⤵
    - Program crash
    PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 892
    3⤵
    - Program crash
    PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 896
    3⤵
    - Program crash
    PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 892
    3⤵
    - Program crash
    PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 716
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1416
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 716
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1456
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1448
    3⤵
    PID:1920
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 84
    3⤵
    PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4308 -ip 4308
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4952 -ip 4952
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4952 -ip 4952
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5276 -ip 5276
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4308 -ip 4308
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4308 -ip 4308
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4308 -ip 4308
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4308 -ip 4308
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4308 -ip 4308
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4308 -ip 4308
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 184
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 508
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 872
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 908
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 876
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1276
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1344
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1292
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1320
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1372
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1340
    3⤵
    PID:1600
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 84
    3⤵
    PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3976 -ip 3976
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3976 -ip 3976
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3976 -ip 3976
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3976 -ip 3976
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3976 -ip 3976
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3976 -ip 3976
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4308 -ip 4308
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3976 -ip 3976
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3976 -ip 3976
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3976 -ip 3976
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3976 -ip 3976
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3976 -ip 3976
1⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 184
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 504
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 872
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 908
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 916
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1336
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 940
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 680
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1340
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1368
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1396
    3⤵
    PID:4956
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 84
    3⤵
    PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4968 -ip 4968
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 3976
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4968 -ip 4968
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4968 -ip 4968
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4968 -ip 4968
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4968 -ip 4968
1⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4968 -ip 4968
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4968 -ip 4968
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4968 -ip 4968
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4968 -ip 4968
1⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 192
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 504
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 660
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 892
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 928
    3⤵
    PID:732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1284
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1324
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1344
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1324
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1324
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1336
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 84
    3⤵
    PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4968 -ip 4968
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4604 -ip 4604
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4968 -ip 4968
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4604 -ip 4604
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4604 -ip 4604
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4604 -ip 4604
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4604 -ip 4604
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4604 -ip 4604
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4968 -ip 4968
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 184
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 504
    3⤵
    PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 868
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 912
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 880
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1284
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1324
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1340
    3⤵
    PID:408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1344
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1368
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1360
    3⤵
    PID:3648
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 84
    3⤵
    PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5560 -ip 5560
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5560 -ip 5560
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5560 -ip 5560
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5560 -ip 5560
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5560 -ip 5560
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5560 -ip 5560
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5560 -ip 5560
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5560 -ip 5560
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5560 -ip 5560
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5560 -ip 5560
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5560 -ip 5560
1⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5436
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 184
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 504
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 736
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 892
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 888
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1276
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1348
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1276
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1348
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1336
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1380
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 84
    3⤵
    PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3612 -ip 3612
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3612 -ip 3612
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3612 -ip 3612
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3612 -ip 3612
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3612 -ip 3612
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3612 -ip 3612
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3612 -ip 3612
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3612 -ip 3612
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3612 -ip 3612
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3612 -ip 3612
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5560 -ip 5560
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3612 -ip 3612
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4952 -ip 4952
1⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 184
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 504
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 644
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 888
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 884
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1068
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1348
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1388
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1348
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1420
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1428
    3⤵
    PID:4904
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 84
    3⤵
    PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3524 -ip 3524
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3524 -ip 3524
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 3524
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3524 -ip 3524
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 3524
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3524 -ip 3524
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3612 -ip 3612
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3524 -ip 3524
1⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 184
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 508
    3⤵
    PID:700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 668
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 888
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 884
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1276
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1324
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1332
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1396
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1404
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1280
    3⤵
    PID:4260
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 84
    3⤵
    PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3524 -ip 3524
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3976 -ip 3976
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3976 -ip 3976
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3976 -ip 3976
1⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3976 -ip 3976
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3976 -ip 3976
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3976 -ip 3976
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 3976
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3976 -ip 3976
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3976 -ip 3976
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3976 -ip 3976
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3976 -ip 3976
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3524 -ip 3524
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3976 -ip 3976
1⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 184
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 508
    3⤵
    PID:5404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 872
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 892
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 888
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1332
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1372
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1388
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1372
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 928
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1340
    3⤵
    PID:4960
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 84
    3⤵
    PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2712 -ip 2712
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2712 -ip 2712
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2712 -ip 2712
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2712 -ip 2712
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2712 -ip 2712
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2712 -ip 2712
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2712 -ip 2712
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2712 -ip 2712
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2712 -ip 2712
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2712 -ip 2712
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2712 -ip 2712
1⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 184
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 504
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 712
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 892
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 888
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1212
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1324
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1288
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1364
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1340
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1352
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 84
    3⤵
    PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1460 -ip 1460
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1460 -ip 1460
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1460 -ip 1460
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1460 -ip 1460
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 1460
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 1460
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1460 -ip 1460
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1460 -ip 1460
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1460 -ip 1460
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2712 -ip 2712
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1460 -ip 1460
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1460 -ip 1460
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1460 -ip 1460
1⤵
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 184
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 504
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 660
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 888
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 884
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1252
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1332
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1344
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1404
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1444
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1452
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 84
    3⤵
    PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4568 -ip 4568
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4568 -ip 4568
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4568 -ip 4568
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4568 -ip 4568
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4568 -ip 4568
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4568 -ip 4568
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4568 -ip 4568
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4568 -ip 4568
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4568 -ip 4568
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4568 -ip 4568
1⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 188
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 504
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 872
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 892
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 888
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1004
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1248
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1352
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1372
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1372
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1396
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 88
    3⤵
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5712 -ip 5712
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5712 -ip 5712
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5712 -ip 5712
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5712 -ip 5712
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5712 -ip 5712
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5712 -ip 5712
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5712 -ip 5712
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5712 -ip 5712
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5712 -ip 5712
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5712 -ip 5712
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5712 -ip 5712
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4952 -ip 4952
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4568 -ip 4568
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5712 -ip 5712
1⤵
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 184
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 508
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 904
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 944
    3⤵
    PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 916
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1276
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1292
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1324
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1332
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1360
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1376
    3⤵
    PID:6100
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 88
    3⤵
    PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3324 -ip 3324
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4952 -ip 4952
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4952 -ip 4952
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4952 -ip 4952
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4952 -ip 4952
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4952 -ip 4952
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3324 -ip 3324
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3324 -ip 3324
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3324 -ip 3324
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3324 -ip 3324
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4952 -ip 4952
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3324 -ip 3324
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4952 -ip 4952
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3324 -ip 3324
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3324 -ip 3324
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4952 -ip 4952
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3324 -ip 3324
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4952 -ip 4952
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3324 -ip 3324
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4952 -ip 4952
1⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 184
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 504
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 868
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 912
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 884
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1252
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1344
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1364
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1384
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1256
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 1384
    3⤵
    PID:4768
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 84
    3⤵
    PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5792 -ip 5792
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5792 -ip 5792
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5792 -ip 5792
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5792 -ip 5792
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5792 -ip 5792
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5792 -ip 5792
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5792 -ip 5792
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5792 -ip 5792
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5792 -ip 5792
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5792 -ip 5792
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5792 -ip 5792
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3324 -ip 3324
1⤵
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 184
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 316
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 728
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 912
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 660
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 868
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1352
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1016
    3⤵
    PID:872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1352
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1392
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1008
    3⤵
    PID:732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1392
    3⤵
    PID:5736
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 84
    3⤵
    PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1072 -ip 1072
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1072 -ip 1072
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1072 -ip 1072
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1072 -ip 1072
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
1⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1072 -ip 1072
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1072 -ip 1072
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1072 -ip 1072
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1072 -ip 1072
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5792 -ip 5792
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1072 -ip 1072
1⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 184
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 512
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 872
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 900
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 896
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1212
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1248
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1352
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1364
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1352
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1412
    3⤵
    PID:4548
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 84
    3⤵
    PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4308 -ip 4308
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4308 -ip 4308
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4308 -ip 4308
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4308 -ip 4308
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4308 -ip 4308
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4308 -ip 4308
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4308 -ip 4308
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4308 -ip 4308
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1072 -ip 1072
1⤵
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 184
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 504
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 644
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 888
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 884
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 820
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1452
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1480
    3⤵
    PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1496
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1516
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1504
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe
    "C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe" -f torrc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4356 -ip 4356
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4356 -ip 4356
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4356 -ip 4356
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4356 -ip 4356
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4356 -ip 4356
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4356 -ip 4356
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4356 -ip 4356
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4356 -ip 4356
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4356 -ip 4356
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4356 -ip 4356
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4356 -ip 4356
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4308 -ip 4308
1⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 184
    3⤵
    PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4148 -ip 4148
1⤵
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NvContainers\nvgwlss.exe

Filesize
9.2MB

MD5
d00027e602f2de9ec97d21c30f3cc8ca

SHA1
5dd590a717b4ba755da315cb1daad08915195436

SHA256
55abb5f587ab4e89fd3c44e94682a6eabfaf81329048588d17266d4527846478

SHA512
29f6a935131a1a7790a5dccfde27ab697d4fe068e97ed7c63cbd11f0f3326569b09f951bbc2d9747bd6d36184c4684b0894a138110ccf0e1af53c6514130bff1

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\NVDisplayContai.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\data\cached-microdesc-consensus.tmp

Filesize
3.1MB

MD5
0c94d34eda10c54f5f0ef9c717ac96a8

SHA1
45141b4fc575e4843a56522329c75da6ee1bae78

SHA256
1292fc70120f3ce847530bf16277511a5c7f1036564bec9c6c1dcbb0444aabb2

SHA512
56812df703e32edbcac49243f9a5595930250320c18dd7930b3aee12843602618fed9099c1525e0564acbdc6d500361a3e4cb5be429f399dd10cbbc6df2b9ee8

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\data\cached-microdescs.new

Filesize
12.6MB

MD5
a961cd23efcbca52162612e1ceb74c2a

SHA1
6f349dfc08a6debc75567212823c174021d29d66

SHA256
ac3ba250219a5ead5456c04e6cc08fa41b66381e31ba4a2fecceadab00325486

SHA512
e3e486a9941c54dfb772ccce156f561c70b194cf91477a99c9d773097db5dbe1592e6a32d2695c18061c0e22f86a57ab150c44cd0eb0d04f5a1e090f025e923f

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\data\state

Filesize
232B

MD5
6e71078247dfe87eb262790d6fb61671

SHA1
405338c9a0f5b362b1c18e3925b4d1c46b696b59

SHA256
c16e5b20e87e7144040af94657b467fb7b6aec10acf7abdfd22cd8731f60360a

SHA512
30e912a8c2ddd9d545c09c2958fcd590f488003dab9bd977553c23910ece4b21b2fcbd2909c3e6f4f750f5fe40103d27b86e165066f34773c846803b340f4eda

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\data\state

Filesize
232B

MD5
44fd77ce32eb63f5f856952b2af777b0

SHA1
fbdc5e9c82cbd6b11bd4529ff135a59c7ece02f4

SHA256
d80885d55a310bad1810a007abd6c136de119ffe62830a70a221d5513e3156b5

SHA512
dba5f68dbd6a9bfa8392487e0e3dc77a0810e4442c711c0ff8be64e0278f5501ccbdea512f2ada7b4e1cb18683f4fb20632398610f50d5549e26299c908cd315

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\data\state

Filesize
232B

MD5
65a0c4d5122664dc9631a2180594c889

SHA1
cc728492b982b2b613d4cc124821aa8f4b31ccda

SHA256
b7cb2413f3aceaf88181748029bb5b2f8a9aa6c2b6db47fb8f8c8d1249f4c6a7

SHA512
29fa72c3934a1ba4308b765016b313ef1d70f3d25d5112149a523e89eb6337ddbf0b6d0e043581f9d4a72d68a673cceee23c3acf306430b59b610342da526600

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\torrc

Filesize
139B

MD5
72e5b34d9e05ca7227b20b943bed6c43

SHA1
0f5539470f8e514df829ebb674ab33437fcf1015

SHA256
c310727cde6a0129824dcda0cba250b46a740a4ced4843685a194d2fdfc12aa1

SHA512
a0031336b2f8e99e42c7bcb4d2f62948a64a5aeb08a0860ce22aa8f0d2e2b37c3c17643038964f9a4d6d56fb9b7552bfc99a7dd9e008de850945f42a62a42fc2

Download Submit
C:\Users\Admin\AppData\Local\a044d9b1\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/396-158-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/396-162-0x0000000073150000-0x000000007321E000-memory.dmp

Filesize
824KB

Download
memory/396-146-0x0000000073150000-0x000000007321E000-memory.dmp

Filesize
824KB

Download
memory/396-148-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/396-159-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/396-160-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/396-145-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/396-144-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/396-143-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/396-157-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/396-164-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/396-163-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/396-150-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/396-147-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/396-161-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/396-149-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/772-270-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/772-271-0x0000000073370000-0x000000007343E000-memory.dmp

Filesize
824KB

Download
memory/772-272-0x0000000073320000-0x0000000073369000-memory.dmp

Filesize
292KB

Download
memory/772-268-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/2708-233-0x00000000731F0000-0x00000000732B8000-memory.dmp

Filesize
800KB

Download
memory/2708-238-0x0000000072880000-0x0000000072908000-memory.dmp

Filesize
544KB

Download
memory/2708-232-0x0000000072A70000-0x0000000072D3F000-memory.dmp

Filesize
2.8MB

Download
memory/2708-234-0x0000000073120000-0x00000000731EE000-memory.dmp

Filesize
824KB

Download
memory/2708-235-0x0000000072A20000-0x0000000072A69000-memory.dmp

Filesize
292KB

Download
memory/2708-236-0x00000000730F0000-0x0000000073114000-memory.dmp

Filesize
144KB

Download
memory/2708-237-0x0000000072910000-0x0000000072A1A000-memory.dmp

Filesize
1.0MB

Download
memory/2708-231-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/4540-194-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4540-130-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4540-87-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4540-93-0x0000000072E20000-0x0000000072E59000-memory.dmp

Filesize
228KB

Download
memory/4952-0-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4952-91-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4952-50-0x0000000072E20000-0x0000000072E59000-memory.dmp

Filesize
228KB

Download
memory/4952-219-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4952-47-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4952-181-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4952-325-0x0000000074290000-0x00000000742C9000-memory.dmp

Filesize
228KB

Download
memory/4952-1-0x0000000074290000-0x00000000742C9000-memory.dmp

Filesize
228KB

Download
memory/5276-109-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5276-166-0x0000000072E20000-0x0000000072E59000-memory.dmp

Filesize
228KB

Download
memory/5276-197-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5276-165-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5340-206-0x0000000073150000-0x000000007321E000-memory.dmp

Filesize
824KB

Download
memory/5340-199-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/5340-201-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/5340-207-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5340-205-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/5340-183-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5340-204-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/5340-203-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/5340-202-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/5400-213-0x0000000072A20000-0x0000000072A69000-memory.dmp

Filesize
292KB

Download
memory/5400-210-0x0000000072A70000-0x0000000072D3F000-memory.dmp

Filesize
2.8MB

Download
memory/5400-216-0x0000000072880000-0x0000000072908000-memory.dmp

Filesize
544KB

Download
memory/5400-215-0x0000000072910000-0x0000000072A1A000-memory.dmp

Filesize
1.0MB

Download
memory/5400-214-0x00000000730F0000-0x0000000073114000-memory.dmp

Filesize
144KB

Download
memory/5400-212-0x0000000073120000-0x00000000731EE000-memory.dmp

Filesize
824KB

Download
memory/5400-211-0x00000000731F0000-0x00000000732B8000-memory.dmp

Filesize
800KB

Download
memory/5400-209-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5404-52-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/5404-51-0x0000000073710000-0x00000000737D8000-memory.dmp

Filesize
800KB

Download
memory/5404-17-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5404-42-0x0000000073420000-0x0000000073444000-memory.dmp

Filesize
144KB

Download
memory/5404-43-0x00000000735F0000-0x0000000073639000-memory.dmp

Filesize
292KB

Download
memory/5404-41-0x0000000073560000-0x00000000735E8000-memory.dmp

Filesize
544KB

Download
memory/5404-40-0x0000000073640000-0x000000007370E000-memory.dmp

Filesize
824KB

Download
memory/5404-39-0x0000000073150000-0x000000007341F000-memory.dmp

Filesize
2.8MB

Download
memory/5404-38-0x0000000001BA0000-0x0000000001E6F000-memory.dmp

Filesize
2.8MB

Download
memory/5404-65-0x0000000073640000-0x000000007370E000-memory.dmp

Filesize
824KB

Download
memory/5404-57-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5404-54-0x0000000001BA0000-0x0000000001E6F000-memory.dmp

Filesize
2.8MB

Download
memory/5404-37-0x0000000073450000-0x000000007355A000-memory.dmp

Filesize
1.0MB

Download
memory/5404-33-0x0000000001BA0000-0x0000000001BE9000-memory.dmp

Filesize
292KB

Download
memory/5404-55-0x0000000073150000-0x000000007341F000-memory.dmp

Filesize
2.8MB

Download
memory/5404-31-0x0000000073710000-0x00000000737D8000-memory.dmp

Filesize
800KB

Download
memory/5404-49-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5404-53-0x0000000073450000-0x000000007355A000-memory.dmp

Filesize
1.0MB

Download
memory/5468-104-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/5468-80-0x00000000732F0000-0x0000000073314000-memory.dmp

Filesize
144KB

Download
memory/5468-105-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5468-103-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/5468-82-0x0000000073150000-0x00000000731D8000-memory.dmp

Filesize
544KB

Download
memory/5468-83-0x0000000073370000-0x000000007343E000-memory.dmp

Filesize
824KB

Download
memory/5468-102-0x0000000073370000-0x000000007343E000-memory.dmp

Filesize
824KB

Download
memory/5468-81-0x00000000731E0000-0x00000000732EA000-memory.dmp

Filesize
1.0MB

Download
memory/5468-77-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/5468-78-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/5468-79-0x0000000073320000-0x0000000073369000-memory.dmp

Filesize
292KB

Download
memory/5704-92-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5704-48-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5704-56-0x0000000072E20000-0x0000000072E59000-memory.dmp

Filesize
228KB

Download
memory/5704-90-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/5792-127-0x00000000732B0000-0x00000000733BA000-memory.dmp

Filesize
1.0MB

Download
memory/5792-123-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/5792-124-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/5792-125-0x00000000733F0000-0x0000000073439000-memory.dmp

Filesize
292KB

Download
memory/5792-126-0x00000000733C0000-0x00000000733E4000-memory.dmp

Filesize
144KB

Download
memory/5792-128-0x0000000073220000-0x00000000732A8000-memory.dmp

Filesize
544KB

Download
memory/5792-175-0x0000000000E00000-0x0000000001204000-memory.dmp

Filesize
4.0MB

Download
memory/5792-176-0x0000000073510000-0x00000000737DF000-memory.dmp

Filesize
2.8MB

Download
memory/5792-177-0x0000000073440000-0x0000000073508000-memory.dmp

Filesize
800KB

Download
memory/5792-178-0x0000000073150000-0x000000007321E000-memory.dmp

Filesize
824KB

Download
memory/5792-129-0x0000000073150000-0x000000007321E000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads