200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

Analysis

max time kernel
152s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
Size

294KB
MD5

86071d73aeafb6e6cc657168a413c44f
SHA1

1e16123ee577aeabde95bf4de00e29ff94354ecf
SHA256

200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581
SHA512

8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2
SSDEEP

6144:N0JRJZIU/HCDNtkpCTWMZQHFqypLdlmMJyYzsZLcjyPQ5PHAd:N0B/iDNtkpCpZQDduLbaAd

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
1972	actxprxy.exe
3320	aadauthhelper.exe
4916	ActionCenterCPL.exe
4804	AddressParser.exe
3492	Apphlpdm.exe
3728	AppVClientPS.exe
4004	bcryptprimitives.exe
744	activeds.exe
4468	AppIdPolicyEngineApi.exe
5100	ActivationClient.exe
1888	adrclient.exe
2900	adsmsext.exe
2288	AarSvc.exe
4184	acppage.exe
1704	apprepapi.exe
4680	AcLayers.exe
4824	AdmTmpl.exe
1128	aadWamExtension.exe
4588	advapi32.exe
3384	aclui.exe
3364	accessibilitycpl.exe
5004	ActionCenterCPL.exe
4420	AarSvc.exe
4188	acledit.exe
2936	accessibilitycpl.exe
4448	AdmTmpl.exe
664	AcWinRT.exe
1432	AarSvc.exe
1884	aadauthhelper.exe
4084	actxprxy.exe
5084	amsi.exe
4580	AcXtrnal.exe
3220	apprepapi.exe
1968	advapi32res.exe
4892	Apphlpdm.exe
1952	AcGenral.exe
4784	AarSvc.exe
1492	AppVEntSubsystems32.exe
3672	AppInstallerPrompt.Desktop.exe
5116	aadtb.exe
4480	AcSpecfc.exe
4468	aadWamExtension.exe
2288	AcSpecfc.exe
4540	AcSpecfc.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5100	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\AcSpecfc.exe"	AcSpecfc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AppVClientPS.exe	Apphlpdm.exe
File created	C:\Windows\SysWOW64\activeds.exe	bcryptprimitives.exe
File created	C:\Windows\SysWOW64\adsmsext.exe	adrclient.exe
File opened for modification	C:\Windows\SysWOW64\AcLayers.exe	apprepapi.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	ActionCenterCPL.exe
File created	C:\Windows\SysWOW64\AdmTmpl.exe	accessibilitycpl.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\AddressParser.exe	ActionCenterCPL.exe
File created	C:\Windows\SysWOW64\Apphlpdm.exe	advapi32res.exe
File opened for modification	C:\Windows\SysWOW64\AdmTmpl.exe	accessibilitycpl.exe
File opened for modification	C:\Windows\SysWOW64\AcWinRT.exe	AdmTmpl.exe
File opened for modification	C:\Windows\SysWOW64\advapi32res.exe	apprepapi.exe
File opened for modification	C:\Windows\SysWOW64\aadWamExtension.exe	AcSpecfc.exe
File created	C:\Windows\SysWOW64\ActivationClient.exe	AppIdPolicyEngineApi.exe
File opened for modification	C:\Windows\SysWOW64\Apphlpdm.exe	AddressParser.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.exe	aadWamExtension.exe
File created	C:\Windows\SysWOW64\AarSvc.exe	ActionCenterCPL.exe
File created	C:\Windows\SysWOW64\ActionCenterCPL.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\acppage.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\aadWamExtension.exe	AdmTmpl.exe
File created	C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe	AppVEntSubsystems32.exe
File opened for modification	C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe	AppVEntSubsystems32.exe
File created	C:\Windows\SysWOW64\aadtb.exe	AppInstallerPrompt.Desktop.exe
File created	C:\Windows\SysWOW64\AcSpecfc.nls	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\adrclient.exe	ActivationClient.exe
File created	C:\Windows\SysWOW64\ActionCenterCPL.exe	accessibilitycpl.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	AarSvc.exe
File opened for modification	C:\Windows\SysWOW64\AcXtrnal.exe	amsi.exe
File opened for modification	C:\Windows\SysWOW64\apprepapi.exe	acppage.exe
File opened for modification	C:\Windows\SysWOW64\AppVClientPS.exe	Apphlpdm.exe
File opened for modification	C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe	activeds.exe
File created	C:\Windows\SysWOW64\actxprxy.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\actxprxy.exe	aadauthhelper.exe
File created	C:\Windows\SysWOW64\AcXtrnal.exe	amsi.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenterCPL.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\ActivationClient.exe	AppIdPolicyEngineApi.exe
File created	C:\Windows\SysWOW64\adrclient.exe	ActivationClient.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	acledit.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\bcryptprimitives.exe	AppVClientPS.exe
File created	C:\Windows\SysWOW64\acledit.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	AcWinRT.exe
File created	C:\Windows\SysWOW64\amsi.exe	actxprxy.exe
File created	C:\Windows\SysWOW64\aadWamExtension.exe	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\actxprxy.exe	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
File created	C:\Windows\SysWOW64\advapi32res.exe	apprepapi.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	adsmsext.exe
File created	C:\Windows\SysWOW64\acppage.exe	AarSvc.exe
File opened for modification	C:\Windows\SysWOW64\amsi.exe	actxprxy.exe
File opened for modification	C:\Windows\SysWOW64\AcGenral.exe	Apphlpdm.exe
File opened for modification	C:\Windows\SysWOW64\AcSpecfc.exe	aadtb.exe
File created	C:\Windows\SysWOW64\Apphlpdm.exe	AddressParser.exe
File opened for modification	C:\Windows\SysWOW64\aclui.exe	advapi32.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	aclui.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenterCPL.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	actxprxy.exe
File opened for modification	C:\Windows\SysWOW64\AddressParser.exe	ActionCenterCPL.exe
File opened for modification	C:\Windows\SysWOW64\activeds.exe	bcryptprimitives.exe
File created	C:\Windows\SysWOW64\AdmTmpl.exe	AcLayers.exe
File created	C:\Windows\SysWOW64\aclui.exe	advapi32.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	AcGenral.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.exe	actxprxy.exe
File opened for modification	C:\Windows\SysWOW64\apprepapi.exe	AcXtrnal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe
4480	AcSpecfc.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
Token: SeDebugPrivilege	1972	actxprxy.exe
Token: SeDebugPrivilege	3320	aadauthhelper.exe
Token: SeDebugPrivilege	4916	ActionCenterCPL.exe
Token: SeDebugPrivilege	4804	AddressParser.exe
Token: SeDebugPrivilege	3492	Apphlpdm.exe
Token: SeDebugPrivilege	3728	AppVClientPS.exe
Token: SeDebugPrivilege	4004	bcryptprimitives.exe
Token: SeDebugPrivilege	744	activeds.exe
Token: SeDebugPrivilege	4468	AppIdPolicyEngineApi.exe
Token: SeDebugPrivilege	5100	ActivationClient.exe
Token: SeDebugPrivilege	1888	adrclient.exe
Token: SeDebugPrivilege	2900	adsmsext.exe
Token: SeDebugPrivilege	2288	AarSvc.exe
Token: SeDebugPrivilege	4184	acppage.exe
Token: SeDebugPrivilege	1704	apprepapi.exe
Token: SeDebugPrivilege	4680	AcLayers.exe
Token: SeDebugPrivilege	4824	AdmTmpl.exe
Token: SeDebugPrivilege	1128	aadWamExtension.exe
Token: SeDebugPrivilege	4588	advapi32.exe
Token: SeDebugPrivilege	3384	aclui.exe
Token: SeDebugPrivilege	3364	accessibilitycpl.exe
Token: SeDebugPrivilege	5004	ActionCenterCPL.exe
Token: SeDebugPrivilege	4420	AarSvc.exe
Token: SeDebugPrivilege	4188	acledit.exe
Token: SeDebugPrivilege	2936	accessibilitycpl.exe
Token: SeDebugPrivilege	4448	AdmTmpl.exe
Token: SeDebugPrivilege	664	AcWinRT.exe
Token: SeDebugPrivilege	1432	AarSvc.exe
Token: SeDebugPrivilege	1884	aadauthhelper.exe
Token: SeDebugPrivilege	4084	actxprxy.exe
Token: SeDebugPrivilege	5084	amsi.exe
Token: SeDebugPrivilege	4580	AcXtrnal.exe
Token: SeDebugPrivilege	3220	apprepapi.exe
Token: SeDebugPrivilege	1968	advapi32res.exe
Token: SeDebugPrivilege	4892	Apphlpdm.exe
Token: SeDebugPrivilege	1952	AcGenral.exe
Token: SeDebugPrivilege	4784	AarSvc.exe
Token: SeDebugPrivilege	1492	AppVEntSubsystems32.exe
Token: SeDebugPrivilege	3672	AppInstallerPrompt.Desktop.exe
Token: SeDebugPrivilege	5116	aadtb.exe
Token: SeDebugPrivilege	4480	AcSpecfc.exe
Token: SeDebugPrivilege	4468	aadWamExtension.exe
Token: SeDebugPrivilege	2288	AcSpecfc.exe
Token: SeDebugPrivilege	4540	AcSpecfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1972	1368	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	82
PID 1368 wrote to memory of 1972	1368	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	82
PID 1368 wrote to memory of 1972	1368	200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe	82
PID 1972 wrote to memory of 3320	1972	actxprxy.exe	83
PID 1972 wrote to memory of 3320	1972	actxprxy.exe	83
PID 1972 wrote to memory of 3320	1972	actxprxy.exe	83
PID 3320 wrote to memory of 4916	3320	aadauthhelper.exe	84
PID 3320 wrote to memory of 4916	3320	aadauthhelper.exe	84
PID 3320 wrote to memory of 4916	3320	aadauthhelper.exe	84
PID 4916 wrote to memory of 4804	4916	ActionCenterCPL.exe	85
PID 4916 wrote to memory of 4804	4916	ActionCenterCPL.exe	85
PID 4916 wrote to memory of 4804	4916	ActionCenterCPL.exe	85
PID 4804 wrote to memory of 3492	4804	AddressParser.exe	86
PID 4804 wrote to memory of 3492	4804	AddressParser.exe	86
PID 4804 wrote to memory of 3492	4804	AddressParser.exe	86
PID 3492 wrote to memory of 3728	3492	Apphlpdm.exe	87
PID 3492 wrote to memory of 3728	3492	Apphlpdm.exe	87
PID 3492 wrote to memory of 3728	3492	Apphlpdm.exe	87
PID 3728 wrote to memory of 4004	3728	AppVClientPS.exe	88
PID 3728 wrote to memory of 4004	3728	AppVClientPS.exe	88
PID 3728 wrote to memory of 4004	3728	AppVClientPS.exe	88
PID 4004 wrote to memory of 744	4004	bcryptprimitives.exe	89
PID 4004 wrote to memory of 744	4004	bcryptprimitives.exe	89
PID 4004 wrote to memory of 744	4004	bcryptprimitives.exe	89
PID 744 wrote to memory of 4468	744	activeds.exe	90
PID 744 wrote to memory of 4468	744	activeds.exe	90
PID 744 wrote to memory of 4468	744	activeds.exe	90
PID 4468 wrote to memory of 5100	4468	AppIdPolicyEngineApi.exe	91
PID 4468 wrote to memory of 5100	4468	AppIdPolicyEngineApi.exe	91
PID 4468 wrote to memory of 5100	4468	AppIdPolicyEngineApi.exe	91
PID 5100 wrote to memory of 1888	5100	ActivationClient.exe	92
PID 5100 wrote to memory of 1888	5100	ActivationClient.exe	92
PID 5100 wrote to memory of 1888	5100	ActivationClient.exe	92
PID 1888 wrote to memory of 2900	1888	adrclient.exe	93
PID 1888 wrote to memory of 2900	1888	adrclient.exe	93
PID 1888 wrote to memory of 2900	1888	adrclient.exe	93
PID 2900 wrote to memory of 2288	2900	adsmsext.exe	94
PID 2900 wrote to memory of 2288	2900	adsmsext.exe	94
PID 2900 wrote to memory of 2288	2900	adsmsext.exe	94
PID 2288 wrote to memory of 4184	2288	AarSvc.exe	95
PID 2288 wrote to memory of 4184	2288	AarSvc.exe	95
PID 2288 wrote to memory of 4184	2288	AarSvc.exe	95
PID 4184 wrote to memory of 1704	4184	acppage.exe	96
PID 4184 wrote to memory of 1704	4184	acppage.exe	96
PID 4184 wrote to memory of 1704	4184	acppage.exe	96
PID 1704 wrote to memory of 4680	1704	apprepapi.exe	97
PID 1704 wrote to memory of 4680	1704	apprepapi.exe	97
PID 1704 wrote to memory of 4680	1704	apprepapi.exe	97
PID 4680 wrote to memory of 4824	4680	AcLayers.exe	98
PID 4680 wrote to memory of 4824	4680	AcLayers.exe	98
PID 4680 wrote to memory of 4824	4680	AcLayers.exe	98
PID 4824 wrote to memory of 1128	4824	AdmTmpl.exe	99
PID 4824 wrote to memory of 1128	4824	AdmTmpl.exe	99
PID 4824 wrote to memory of 1128	4824	AdmTmpl.exe	99
PID 1128 wrote to memory of 4588	1128	aadWamExtension.exe	100
PID 1128 wrote to memory of 4588	1128	aadWamExtension.exe	100
PID 1128 wrote to memory of 4588	1128	aadWamExtension.exe	100
PID 4588 wrote to memory of 3384	4588	advapi32.exe	101
PID 4588 wrote to memory of 3384	4588	advapi32.exe	101
PID 4588 wrote to memory of 3384	4588	advapi32.exe	101
PID 3384 wrote to memory of 3364	3384	aclui.exe	102
PID 3384 wrote to memory of 3364	3384	aclui.exe	102
PID 3384 wrote to memory of 3364	3384	aclui.exe	102
PID 3364 wrote to memory of 5004	3364	accessibilitycpl.exe	103

C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe
"C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\actxprxy.exe
  "C:\Windows\system32\actxprxy.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\aadauthhelper.exe
    "C:\Windows\system32\aadauthhelper.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\ActionCenterCPL.exe
      "C:\Windows\system32\ActionCenterCPL.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\AddressParser.exe
        
        "C:\Windows\system32\AddressParser.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\Apphlpdm.exe
        
        "C:\Windows\system32\Apphlpdm.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\AppVClientPS.exe
        
        "C:\Windows\system32\AppVClientPS.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\bcryptprimitives.exe
        
        "C:\Windows\system32\bcryptprimitives.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\activeds.exe
        
        "C:\Windows\system32\activeds.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
        
        "C:\Windows\system32\AppIdPolicyEngineApi.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\ActivationClient.exe
        
        "C:\Windows\system32\ActivationClient.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\adrclient.exe
        
        "C:\Windows\system32\adrclient.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\adsmsext.exe
        
        "C:\Windows\system32\adsmsext.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\acppage.exe
        
        "C:\Windows\system32\acppage.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\apprepapi.exe
        
        "C:\Windows\system32\apprepapi.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\AcLayers.exe
        
        "C:\Windows\system32\AcLayers.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        "C:\Windows\system32\AdmTmpl.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\aadWamExtension.exe
        
        "C:\Windows\system32\aadWamExtension.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\advapi32.exe
        
        "C:\Windows\system32\advapi32.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\aclui.exe
        
        "C:\Windows\system32\aclui.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        "C:\Windows\system32\accessibilitycpl.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        "C:\Windows\system32\ActionCenterCPL.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\SysWOW64\acledit.exe
        
        "C:\Windows\system32\acledit.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        "C:\Windows\system32\accessibilitycpl.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        "C:\Windows\system32\AdmTmpl.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\SysWOW64\AcWinRT.exe
        
        "C:\Windows\system32\AcWinRT.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        "C:\Windows\system32\aadauthhelper.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\SysWOW64\actxprxy.exe
        
        "C:\Windows\system32\actxprxy.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SysWOW64\amsi.exe
        
        "C:\Windows\system32\amsi.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\SysWOW64\AcXtrnal.exe
        
        "C:\Windows\system32\AcXtrnal.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\SysWOW64\apprepapi.exe
        
        "C:\Windows\system32\apprepapi.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\SysWOW64\advapi32res.exe
        
        "C:\Windows\system32\advapi32res.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\Apphlpdm.exe
        
        "C:\Windows\system32\Apphlpdm.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\SysWOW64\AcGenral.exe
        
        "C:\Windows\system32\AcGenral.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\AppVEntSubsystems32.exe
        
        "C:\Windows\system32\AppVEntSubsystems32.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe
        
        "C:\Windows\system32\AppInstallerPrompt.Desktop.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\aadtb.exe
        
        "C:\Windows\system32\aadtb.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe" -m"3672:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\system32\AcSpecfc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe" -m"3672:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe" -m"5116:C:\Windows\SysWOW64\aadtb.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SysWOW64\aadWamExtension.exe
        
        "C:\Windows\system32\aadWamExtension.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe" -m"3672:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe" -m"5116:C:\Windows\SysWOW64\aadtb.exe" -m"4480:C:\Windows\SysWOW64\AcSpecfc.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Windows\SysWOW64\AcSpecfc.exe" enable
        43⤵
        Modifies Windows Firewall
        
        PID:5100
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\SysWOW64\AcSpecfc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe" -m"3672:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe" -m"5116:C:\Windows\SysWOW64\aadtb.exe" -w4480
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\SysWOW64\AcSpecfc.exe" -m"1368:C:\Users\Admin\AppData\Local\Temp\200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581.exe" -m"1972:C:\Windows\SysWOW64\actxprxy.exe" -m"3320:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4916:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4804:C:\Windows\SysWOW64\AddressParser.exe" -m"3492:C:\Windows\SysWOW64\Apphlpdm.exe" -m"3728:C:\Windows\SysWOW64\AppVClientPS.exe" -m"4004:C:\Windows\SysWOW64\bcryptprimitives.exe" -m"744:C:\Windows\SysWOW64\activeds.exe" -m"4468:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"5100:C:\Windows\SysWOW64\ActivationClient.exe" -m"1888:C:\Windows\SysWOW64\adrclient.exe" -m"2900:C:\Windows\SysWOW64\adsmsext.exe" -m"2288:C:\Windows\SysWOW64\AarSvc.exe" -m"4184:C:\Windows\SysWOW64\acppage.exe" -m"1704:C:\Windows\SysWOW64\apprepapi.exe" -m"4680:C:\Windows\SysWOW64\AcLayers.exe" -m"4824:C:\Windows\SysWOW64\AdmTmpl.exe" -m"1128:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4588:C:\Windows\SysWOW64\advapi32.exe" -m"3384:C:\Windows\SysWOW64\aclui.exe" -m"3364:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"5004:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4420:C:\Windows\SysWOW64\AarSvc.exe" -m"4188:C:\Windows\SysWOW64\acledit.exe" -m"2936:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"4448:C:\Windows\SysWOW64\AdmTmpl.exe" -m"664:C:\Windows\SysWOW64\AcWinRT.exe" -m"1432:C:\Windows\SysWOW64\AarSvc.exe" -m"1884:C:\Windows\SysWOW64\aadauthhelper.exe" -m"4084:C:\Windows\SysWOW64\actxprxy.exe" -m"5084:C:\Windows\SysWOW64\amsi.exe" -m"4580:C:\Windows\SysWOW64\AcXtrnal.exe" -m"3220:C:\Windows\SysWOW64\apprepapi.exe" -m"1968:C:\Windows\SysWOW64\advapi32res.exe" -m"4892:C:\Windows\SysWOW64\Apphlpdm.exe" -m"1952:C:\Windows\SysWOW64\AcGenral.exe" -m"4784:C:\Windows\SysWOW64\AarSvc.exe" -m"1492:C:\Windows\SysWOW64\AppVEntSubsystems32.exe" -m"3672:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe" -m"5116:C:\Windows\SysWOW64\aadtb.exe" -w4480
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcLayers.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcLayers.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcWinRT.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcWinRT.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcXtrnal.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AcXtrnal.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AddressParser.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AddressParser.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AdmTmpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AppVClientPS.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\AppVClientPS.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\Apphlpdm.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\Apphlpdm.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadWamExtension.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadWamExtension.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aclui.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\aclui.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\actxprxy.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adrclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adrclient.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adsmsext.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\adsmsext.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\amsi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\amsi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\apprepapi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\apprepapi.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\bcryptprimitives.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
C:\Windows\SysWOW64\bcryptprimitives.exe

Filesize
294KB

MD5
86071d73aeafb6e6cc657168a413c44f

SHA1
1e16123ee577aeabde95bf4de00e29ff94354ecf

SHA256
200d2f449e619446926c0154a452eca6528e4a80f85c9c18c51629c6ebec8581

SHA512
8a54bacb0033cbe605a7b4f8b6910b1910ff05797e5adbffcdac5b7ec01bfe0324b0ea166a4a1849646c9a9bc19d56d2ed8e234323cb5ed6bd26e91ba70289a2

Download Submit
memory/664-292-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/744-187-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1128-244-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1128-239-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1128-238-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1368-139-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1368-133-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1368-132-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1432-300-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1432-293-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1432-294-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1492-336-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1704-226-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1704-218-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1884-304-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1888-203-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1888-197-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1952-332-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1968-326-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1972-140-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1972-138-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2288-213-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2900-208-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2936-279-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3220-322-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3320-151-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3364-261-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3384-251-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3384-256-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3384-250-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3492-162-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3492-161-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3492-168-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3728-175-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4004-173-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4004-180-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4004-174-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4084-305-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4084-315-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4184-233-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4184-219-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4188-278-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4420-267-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4420-273-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4420-265-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4448-288-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4468-192-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4468-185-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4468-186-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4580-319-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4588-249-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4680-225-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4680-224-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4680-231-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4784-335-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4804-163-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4824-232-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4892-331-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4892-325-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4916-150-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4916-156-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4916-149-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5004-266-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5084-316-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5100-198-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download