08dad3498c2ab4855eac9c9324fca017308b5aa1bc573c95c37148b4ed89f08d

Analysis

max time kernel
169s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018df191f0db6e21907cc999d9f6467c.exe
Size

294KB
MD5

018df191f0db6e21907cc999d9f6467c
SHA1

1557261aa56ecd7f355f104b80ad8ad2f620eee2
SHA256

08dad3498c2ab4855eac9c9324fca017308b5aa1bc573c95c37148b4ed89f08d
SHA512

2e440a1d343981a457e6ca0459b67c8be574173f49f90e72530de8c8f36727c322d3136d39b2dac0ea78fe2b6a889bc0c1d889939917cf11916b79e8b610b955
SSDEEP

6144:wz4aVvv5nsxGlx4fbDHHWnQP9anNRrLYW92Q9WnlJifcUWsOC8rlo:wEaVnx2Glxqbbf9Lw9WngUy8rlo

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4524	netsh.exe

Deletes itself 1 IoCs

pid	Process
3724	acwow64.exe

Executes dropped EXE 54 IoCs

pid	Process
4308	acppage.exe
5020	AcGenral.exe
3724	acwow64.exe
3220	acppage.exe
4324	AcLayers.exe
1948	apphelp.exe
1364	agentactivationruntimewindows.exe
2096	aadtb.exe
3856	AcSpecfc.exe
2980	advapi32res.exe
4388	AppManagementConfiguration.exe
2768	AdaptiveCards.exe
1984	ActionCenterCPL.exe
4256	AccountsRt.exe
5012	accountaccessor.exe
3916	AcWinRT.exe
2300	AboveLockAppHost.exe
2084	AddressParser.exe
716	AarSvc.exe
4684	adrclient.exe
4020	AppExtension.exe
3788	AcSpecfc.exe
2044	AboveLockAppHost.exe
1620	ActivationClient.exe
1656	AppIdPolicyEngineApi.exe
2996	altspace.exe
3676	aadWamExtension.exe
4804	acppage.exe
332	activeds.exe
4752	ActivationClient.exe
4520	AcLayers.exe
3584	aadauthhelper.exe
1928	AccountsRt.exe
3192	advpack.exe
1816	AudioEng.exe
2848	AcSpecfc.exe
1700	adtschema.exe
1136	adsnt.exe
3624	ActionCenterCPL.exe
940	accountaccessor.exe
4880	adtschema.exe
4412	aadWamExtension.exe
4632	accessibilitycpl.exe
1460	advpack.exe
1804	AccountsRt.exe
888	AppResolver.exe
760	amsi.exe
3104	AcGenral.exe
1856	AccountsRt.exe
3316	aadtb.exe
4896	accountaccessor.exe
952	acledit.exe
4324	AarSvc.exe
4988	acledit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\acledit.exe"	acledit.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adrclient.exe	AarSvc.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenterCPL.exe	adsnt.exe
File opened for modification	C:\Windows\SysWOW64\amsi.exe	AppResolver.exe
File created	C:\Windows\SysWOW64\accountaccessor.exe	ActionCenterCPL.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	AddressParser.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.exe	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe	ActivationClient.exe
File opened for modification	C:\Windows\SysWOW64\advapi32res.exe	AcSpecfc.exe
File created	C:\Windows\SysWOW64\AcSpecfc.exe	AppExtension.exe
File created	C:\Windows\SysWOW64\aadWamExtension.exe	altspace.exe
File created	C:\Windows\SysWOW64\ActivationClient.exe	activeds.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.exe	AcLayers.exe
File opened for modification	C:\Windows\SysWOW64\adsnt.exe	adtschema.exe
File created	C:\Windows\SysWOW64\agentactivationruntimewindows.exe	apphelp.exe
File created	C:\Windows\SysWOW64\AcWinRT.exe	accountaccessor.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.exe	AcWinRT.exe
File opened for modification	C:\Windows\SysWOW64\AcSpecfc.exe	AudioEng.exe
File created	C:\Windows\SysWOW64\AcGenral.exe	acppage.exe
File created	C:\Windows\SysWOW64\AddressParser.exe	AboveLockAppHost.exe
File created	C:\Windows\SysWOW64\acppage.exe	aadWamExtension.exe
File created	C:\Windows\SysWOW64\acledit.nls	acledit.exe
File created	C:\Windows\SysWOW64\accountaccessor.exe	aadtb.exe
File created	C:\Windows\SysWOW64\acppage.exe	018df191f0db6e21907cc999d9f6467c.exe
File created	C:\Windows\SysWOW64\accountaccessor.exe	AccountsRt.exe
File opened for modification	C:\Windows\SysWOW64\AcGenral.exe	amsi.exe
File opened for modification	C:\Windows\SysWOW64\AudioEng.exe	advpack.exe
File created	C:\Windows\SysWOW64\adtschema.exe	accountaccessor.exe
File opened for modification	C:\Windows\SysWOW64\AccountsRt.exe	advpack.exe
File opened for modification	C:\Windows\SysWOW64\AppExtension.exe	adrclient.exe
File opened for modification	C:\Windows\SysWOW64\activeds.exe	acppage.exe
File created	C:\Windows\SysWOW64\AccountsRt.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\AddressParser.exe	AboveLockAppHost.exe
File opened for modification	C:\Windows\SysWOW64\AcLayers.exe	ActivationClient.exe
File created	C:\Windows\SysWOW64\advpack.exe	AccountsRt.exe
File opened for modification	C:\Windows\SysWOW64\AcGenral.exe	acppage.exe
File created	C:\Windows\SysWOW64\aadtb.exe	agentactivationruntimewindows.exe
File created	C:\Windows\SysWOW64\AboveLockAppHost.exe	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\accountaccessor.exe	aadtb.exe
File created	C:\Windows\SysWOW64\AccountsRt.exe	advpack.exe
File created	C:\Windows\SysWOW64\acppage.exe	acwow64.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\activeds.exe	acppage.exe
File opened for modification	C:\Windows\SysWOW64\adrclient.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\AudioEng.exe	advpack.exe
File opened for modification	C:\Windows\SysWOW64\AppResolver.exe	AccountsRt.exe
File created	C:\Windows\SysWOW64\aadtb.exe	AccountsRt.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	acledit.exe
File created	C:\Windows\SysWOW64\acwow64.exe	AcGenral.exe
File created	C:\Windows\SysWOW64\AdaptiveCards.exe	AppManagementConfiguration.exe
File created	C:\Windows\SysWOW64\AcLayers.exe	ActivationClient.exe
File created	C:\Windows\SysWOW64\ActivationClient.exe	AboveLockAppHost.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	accountaccessor.exe
File opened for modification	C:\Windows\SysWOW64\aadtb.exe	agentactivationruntimewindows.exe
File opened for modification	C:\Windows\SysWOW64\AcSpecfc.exe	aadtb.exe
File created	C:\Windows\SysWOW64\AppManagementConfiguration.exe	advapi32res.exe
File created	C:\Windows\SysWOW64\apphelp.exe	AarSvc.exe
File opened for modification	C:\Windows\SysWOW64\AcSpecfc.exe	AppExtension.exe
File opened for modification	C:\Windows\SysWOW64\aadWamExtension.exe	adtschema.exe
File opened for modification	C:\Windows\SysWOW64\acppage.exe	aadWamExtension.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	aadWamExtension.exe
File opened for modification	C:\Windows\SysWOW64\acppage.exe	018df191f0db6e21907cc999d9f6467c.exe
File created	C:\Windows\SysWOW64\AcLayers.exe	acppage.exe
File opened for modification	C:\Windows\SysWOW64\AcWinRT.exe	accountaccessor.exe
File opened for modification	C:\Windows\SysWOW64\ActivationClient.exe	activeds.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe
952	acledit.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	018df191f0db6e21907cc999d9f6467c.exe
Token: SeDebugPrivilege	4308	acppage.exe
Token: SeDebugPrivilege	5020	AcGenral.exe
Token: SeDebugPrivilege	3724	acwow64.exe
Token: SeDebugPrivilege	3220	acppage.exe
Token: SeDebugPrivilege	4324	AcLayers.exe
Token: SeDebugPrivilege	1948	apphelp.exe
Token: SeDebugPrivilege	1364	agentactivationruntimewindows.exe
Token: SeDebugPrivilege	2096	aadtb.exe
Token: SeDebugPrivilege	3856	AcSpecfc.exe
Token: SeDebugPrivilege	2980	advapi32res.exe
Token: SeDebugPrivilege	4388	AppManagementConfiguration.exe
Token: SeDebugPrivilege	2768	AdaptiveCards.exe
Token: SeDebugPrivilege	1984	ActionCenterCPL.exe
Token: SeDebugPrivilege	4256	AccountsRt.exe
Token: SeDebugPrivilege	5012	accountaccessor.exe
Token: SeDebugPrivilege	3916	AcWinRT.exe
Token: SeDebugPrivilege	2300	AboveLockAppHost.exe
Token: SeDebugPrivilege	2084	AddressParser.exe
Token: SeDebugPrivilege	716	AarSvc.exe
Token: SeDebugPrivilege	4684	adrclient.exe
Token: SeDebugPrivilege	4020	AppExtension.exe
Token: SeDebugPrivilege	3788	AcSpecfc.exe
Token: SeDebugPrivilege	2044	AboveLockAppHost.exe
Token: SeDebugPrivilege	1620	ActivationClient.exe
Token: SeDebugPrivilege	1656	AppIdPolicyEngineApi.exe
Token: SeDebugPrivilege	2996	altspace.exe
Token: SeDebugPrivilege	3676	aadWamExtension.exe
Token: SeDebugPrivilege	4804	acppage.exe
Token: SeDebugPrivilege	332	activeds.exe
Token: SeDebugPrivilege	4752	ActivationClient.exe
Token: SeDebugPrivilege	4520	AcLayers.exe
Token: SeDebugPrivilege	3584	aadauthhelper.exe
Token: SeDebugPrivilege	1928	AccountsRt.exe
Token: SeDebugPrivilege	3192	advpack.exe
Token: SeDebugPrivilege	1816	AudioEng.exe
Token: SeDebugPrivilege	2848	AcSpecfc.exe
Token: SeDebugPrivilege	1700	adtschema.exe
Token: SeDebugPrivilege	1136	adsnt.exe
Token: SeDebugPrivilege	3624	ActionCenterCPL.exe
Token: SeDebugPrivilege	940	accountaccessor.exe
Token: SeDebugPrivilege	4880	adtschema.exe
Token: SeDebugPrivilege	4412	aadWamExtension.exe
Token: SeDebugPrivilege	4632	accessibilitycpl.exe
Token: SeDebugPrivilege	1460	advpack.exe
Token: SeDebugPrivilege	1804	AccountsRt.exe
Token: SeDebugPrivilege	888	AppResolver.exe
Token: SeDebugPrivilege	760	amsi.exe
Token: SeDebugPrivilege	3104	AcGenral.exe
Token: SeDebugPrivilege	1856	AccountsRt.exe
Token: SeDebugPrivilege	3316	aadtb.exe
Token: SeDebugPrivilege	4896	accountaccessor.exe
Token: SeDebugPrivilege	952	acledit.exe
Token: SeDebugPrivilege	4324	AarSvc.exe
Token: SeDebugPrivilege	4988	acledit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4308	4140	018df191f0db6e21907cc999d9f6467c.exe	91
PID 4140 wrote to memory of 4308	4140	018df191f0db6e21907cc999d9f6467c.exe	91
PID 4140 wrote to memory of 4308	4140	018df191f0db6e21907cc999d9f6467c.exe	91
PID 4308 wrote to memory of 5020	4308	acppage.exe	92
PID 4308 wrote to memory of 5020	4308	acppage.exe	92
PID 4308 wrote to memory of 5020	4308	acppage.exe	92
PID 5020 wrote to memory of 3724	5020	AcGenral.exe	96
PID 5020 wrote to memory of 3724	5020	AcGenral.exe	96
PID 5020 wrote to memory of 3724	5020	AcGenral.exe	96
PID 3724 wrote to memory of 3220	3724	acwow64.exe	98
PID 3724 wrote to memory of 3220	3724	acwow64.exe	98
PID 3724 wrote to memory of 3220	3724	acwow64.exe	98
PID 3220 wrote to memory of 4324	3220	acppage.exe	101
PID 3220 wrote to memory of 4324	3220	acppage.exe	101
PID 3220 wrote to memory of 4324	3220	acppage.exe	101
PID 4324 wrote to memory of 1948	4324	AarSvc.exe	102
PID 4324 wrote to memory of 1948	4324	AarSvc.exe	102
PID 4324 wrote to memory of 1948	4324	AarSvc.exe	102
PID 1948 wrote to memory of 1364	1948	apphelp.exe	104
PID 1948 wrote to memory of 1364	1948	apphelp.exe	104
PID 1948 wrote to memory of 1364	1948	apphelp.exe	104
PID 1364 wrote to memory of 2096	1364	agentactivationruntimewindows.exe	105
PID 1364 wrote to memory of 2096	1364	agentactivationruntimewindows.exe	105
PID 1364 wrote to memory of 2096	1364	agentactivationruntimewindows.exe	105
PID 2096 wrote to memory of 3856	2096	aadtb.exe	106
PID 2096 wrote to memory of 3856	2096	aadtb.exe	106
PID 2096 wrote to memory of 3856	2096	aadtb.exe	106
PID 3856 wrote to memory of 2980	3856	AcSpecfc.exe	107
PID 3856 wrote to memory of 2980	3856	AcSpecfc.exe	107
PID 3856 wrote to memory of 2980	3856	AcSpecfc.exe	107
PID 2980 wrote to memory of 4388	2980	advapi32res.exe	108
PID 2980 wrote to memory of 4388	2980	advapi32res.exe	108
PID 2980 wrote to memory of 4388	2980	advapi32res.exe	108
PID 4388 wrote to memory of 2768	4388	AppManagementConfiguration.exe	109
PID 4388 wrote to memory of 2768	4388	AppManagementConfiguration.exe	109
PID 4388 wrote to memory of 2768	4388	AppManagementConfiguration.exe	109
PID 2768 wrote to memory of 1984	2768	AdaptiveCards.exe	110
PID 2768 wrote to memory of 1984	2768	AdaptiveCards.exe	110
PID 2768 wrote to memory of 1984	2768	AdaptiveCards.exe	110
PID 1984 wrote to memory of 4256	1984	ActionCenterCPL.exe	111
PID 1984 wrote to memory of 4256	1984	ActionCenterCPL.exe	111
PID 1984 wrote to memory of 4256	1984	ActionCenterCPL.exe	111
PID 4256 wrote to memory of 5012	4256	AccountsRt.exe	113
PID 4256 wrote to memory of 5012	4256	AccountsRt.exe	113
PID 4256 wrote to memory of 5012	4256	AccountsRt.exe	113
PID 5012 wrote to memory of 3916	5012	accountaccessor.exe	114
PID 5012 wrote to memory of 3916	5012	accountaccessor.exe	114
PID 5012 wrote to memory of 3916	5012	accountaccessor.exe	114
PID 3916 wrote to memory of 2300	3916	AcWinRT.exe	115
PID 3916 wrote to memory of 2300	3916	AcWinRT.exe	115
PID 3916 wrote to memory of 2300	3916	AcWinRT.exe	115
PID 2300 wrote to memory of 2084	2300	AboveLockAppHost.exe	116
PID 2300 wrote to memory of 2084	2300	AboveLockAppHost.exe	116
PID 2300 wrote to memory of 2084	2300	AboveLockAppHost.exe	116
PID 2084 wrote to memory of 716	2084	AddressParser.exe	117
PID 2084 wrote to memory of 716	2084	AddressParser.exe	117
PID 2084 wrote to memory of 716	2084	AddressParser.exe	117
PID 716 wrote to memory of 4684	716	AarSvc.exe	118
PID 716 wrote to memory of 4684	716	AarSvc.exe	118
PID 716 wrote to memory of 4684	716	AarSvc.exe	118
PID 4684 wrote to memory of 4020	4684	adrclient.exe	119
PID 4684 wrote to memory of 4020	4684	adrclient.exe	119
PID 4684 wrote to memory of 4020	4684	adrclient.exe	119
PID 4020 wrote to memory of 3788	4020	AppExtension.exe	120

C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe
"C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\acppage.exe
  "C:\Windows\system32\acppage.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\AcGenral.exe
    "C:\Windows\system32\AcGenral.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\acwow64.exe
      "C:\Windows\system32\acwow64.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\acppage.exe
        
        "C:\Windows\system32\acppage.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - C:\Windows\SysWOW64\AcLayers.exe
        
        "C:\Windows\system32\AcLayers.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\apphelp.exe
        
        "C:\Windows\system32\apphelp.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\agentactivationruntimewindows.exe
        
        "C:\Windows\system32\agentactivationruntimewindows.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\aadtb.exe
        
        "C:\Windows\system32\aadtb.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\system32\AcSpecfc.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\advapi32res.exe
        
        "C:\Windows\system32\advapi32res.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\AppManagementConfiguration.exe
        
        "C:\Windows\system32\AppManagementConfiguration.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\AdaptiveCards.exe
        
        "C:\Windows\system32\AdaptiveCards.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        "C:\Windows\system32\ActionCenterCPL.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\AccountsRt.exe
        
        "C:\Windows\system32\AccountsRt.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\accountaccessor.exe
        
        "C:\Windows\system32\accountaccessor.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\AcWinRT.exe
        
        "C:\Windows\system32\AcWinRT.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\AboveLockAppHost.exe
        
        "C:\Windows\system32\AboveLockAppHost.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\AddressParser.exe
        
        "C:\Windows\system32\AddressParser.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\adrclient.exe
        
        "C:\Windows\system32\adrclient.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\AppExtension.exe
        
        "C:\Windows\system32\AppExtension.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\system32\AcSpecfc.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
        
        C:\Windows\SysWOW64\AboveLockAppHost.exe
        
        "C:\Windows\system32\AboveLockAppHost.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\ActivationClient.exe
        
        "C:\Windows\system32\ActivationClient.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
        
        "C:\Windows\system32\AppIdPolicyEngineApi.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\altspace.exe
        
        "C:\Windows\system32\altspace.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\aadWamExtension.exe
        
        "C:\Windows\system32\aadWamExtension.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\SysWOW64\acppage.exe
        
        "C:\Windows\system32\acppage.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\SysWOW64\activeds.exe
        
        "C:\Windows\system32\activeds.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\SysWOW64\ActivationClient.exe
        
        "C:\Windows\system32\ActivationClient.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SysWOW64\AcLayers.exe
        
        "C:\Windows\system32\AcLayers.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        "C:\Windows\system32\aadauthhelper.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\SysWOW64\AccountsRt.exe
        
        "C:\Windows\system32\AccountsRt.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\SysWOW64\advpack.exe
        
        "C:\Windows\system32\advpack.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\AudioEng.exe
        
        "C:\Windows\system32\AudioEng.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        "C:\Windows\system32\AcSpecfc.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\adtschema.exe
        
        "C:\Windows\system32\adtschema.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\adsnt.exe
        
        "C:\Windows\system32\adsnt.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        "C:\Windows\system32\ActionCenterCPL.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SysWOW64\accountaccessor.exe
        
        "C:\Windows\system32\accountaccessor.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\adtschema.exe
        
        "C:\Windows\system32\adtschema.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SysWOW64\aadWamExtension.exe
        
        "C:\Windows\system32\aadWamExtension.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        "C:\Windows\system32\accessibilitycpl.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\SysWOW64\advpack.exe
        
        "C:\Windows\system32\advpack.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\AccountsRt.exe
        
        "C:\Windows\system32\AccountsRt.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SysWOW64\AppResolver.exe
        
        "C:\Windows\system32\AppResolver.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\amsi.exe
        
        "C:\Windows\system32\amsi.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\SysWOW64\AcGenral.exe
        
        "C:\Windows\system32\AcGenral.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\SysWOW64\AccountsRt.exe
        
        "C:\Windows\system32\AccountsRt.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\SysWOW64\aadtb.exe
        
        "C:\Windows\system32\aadtb.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe" -m"1856:C:\Windows\SysWOW64\AccountsRt.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\SysWOW64\accountaccessor.exe
        
        "C:\Windows\system32\accountaccessor.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe" -m"1856:C:\Windows\SysWOW64\AccountsRt.exe" -m"3316:C:\Windows\SysWOW64\aadtb.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\SysWOW64\acledit.exe
        
        "C:\Windows\system32\acledit.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe" -m"1856:C:\Windows\SysWOW64\AccountsRt.exe" -m"3316:C:\Windows\SysWOW64\aadtb.exe" -m"4896:C:\Windows\SysWOW64\accountaccessor.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        "C:\Windows\system32\AarSvc.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe" -m"1856:C:\Windows\SysWOW64\AccountsRt.exe" -m"3316:C:\Windows\SysWOW64\aadtb.exe" -m"4896:C:\Windows\SysWOW64\accountaccessor.exe" -m"952:C:\Windows\SysWOW64\acledit.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Windows\SysWOW64\acledit.exe" enable
        54⤵
        Modifies Windows Firewall
        
        PID:4524
        
        C:\Windows\SysWOW64\acledit.exe
        
        "C:\Windows\SysWOW64\acledit.exe" -m"4140:C:\Users\Admin\AppData\Local\Temp\018df191f0db6e21907cc999d9f6467c.exe" -m"4308:C:\Windows\SysWOW64\acppage.exe" -m"5020:C:\Windows\SysWOW64\AcGenral.exe" -m"3724:C:\Windows\SysWOW64\acwow64.exe" -m"3220:C:\Windows\SysWOW64\acppage.exe" -m"4324:C:\Windows\SysWOW64\AcLayers.exe" -m"1948:C:\Windows\SysWOW64\apphelp.exe" -m"1364:C:\Windows\SysWOW64\agentactivationruntimewindows.exe" -m"2096:C:\Windows\SysWOW64\aadtb.exe" -m"3856:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2980:C:\Windows\SysWOW64\advapi32res.exe" -m"4388:C:\Windows\SysWOW64\AppManagementConfiguration.exe" -m"2768:C:\Windows\SysWOW64\AdaptiveCards.exe" -m"1984:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"4256:C:\Windows\SysWOW64\AccountsRt.exe" -m"5012:C:\Windows\SysWOW64\accountaccessor.exe" -m"3916:C:\Windows\SysWOW64\AcWinRT.exe" -m"2300:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"2084:C:\Windows\SysWOW64\AddressParser.exe" -m"716:C:\Windows\SysWOW64\AarSvc.exe" -m"4684:C:\Windows\SysWOW64\adrclient.exe" -m"4020:C:\Windows\SysWOW64\AppExtension.exe" -m"3788:C:\Windows\SysWOW64\AcSpecfc.exe" -m"2044:C:\Windows\SysWOW64\AboveLockAppHost.exe" -m"1620:C:\Windows\SysWOW64\ActivationClient.exe" -m"1656:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe" -m"2996:C:\Windows\SysWOW64\altspace.exe" -m"3676:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4804:C:\Windows\SysWOW64\acppage.exe" -m"332:C:\Windows\SysWOW64\activeds.exe" -m"4752:C:\Windows\SysWOW64\ActivationClient.exe" -m"4520:C:\Windows\SysWOW64\AcLayers.exe" -m"3584:C:\Windows\SysWOW64\aadauthhelper.exe" -m"1928:C:\Windows\SysWOW64\AccountsRt.exe" -m"3192:C:\Windows\SysWOW64\advpack.exe" -m"1816:C:\Windows\SysWOW64\AudioEng.exe" -m"2848:C:\Windows\SysWOW64\AcSpecfc.exe" -m"1700:C:\Windows\SysWOW64\adtschema.exe" -m"1136:C:\Windows\SysWOW64\adsnt.exe" -m"3624:C:\Windows\SysWOW64\ActionCenterCPL.exe" -m"940:C:\Windows\SysWOW64\accountaccessor.exe" -m"4880:C:\Windows\SysWOW64\adtschema.exe" -m"4412:C:\Windows\SysWOW64\aadWamExtension.exe" -m"4632:C:\Windows\SysWOW64\accessibilitycpl.exe" -m"1460:C:\Windows\SysWOW64\advpack.exe" -m"1804:C:\Windows\SysWOW64\AccountsRt.exe" -m"888:C:\Windows\SysWOW64\AppResolver.exe" -m"760:C:\Windows\SysWOW64\amsi.exe" -m"3104:C:\Windows\SysWOW64\AcGenral.exe" -m"1856:C:\Windows\SysWOW64\AccountsRt.exe" -m"3316:C:\Windows\SysWOW64\aadtb.exe" -m"4896:C:\Windows\SysWOW64\accountaccessor.exe" -w952
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AarSvc.exe

Filesize
221KB

MD5
6736f5c546b6f04fa70639961a2e7299

SHA1
af90b4937bff1a8c2fc41a5343957bfcdb9f5438

SHA256
e365e69deaf695c27520497f19044577102f2f005e5bbd85ae000bfe2270dacb

SHA512
7ab92f1b908d090eed2d06756e5e5473c7a661d10d492e3beba603386f022e0964d035f7a0ab1325e4ff20012088b98d376b20972b4cf37429f96a603ae6335b

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
230KB

MD5
692abb10d2fdf53164bab2ffcd4b9c23

SHA1
38b97a6dcc99145d7da487af14e8fc1340a062a9

SHA256
dff4447c45c972bc5dfeeb5df0a2d17b50219322cdd051656a10edd6e8c761e2

SHA512
eaa4827c4cd8648fc5f5c24a7d736bbcf445a9c3d6d022866ea2bf798e37e00860dcf47b4cc3209afe94e668e84dce777c653b982b75c6cbeef83a9342183c67

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
278KB

MD5
251244fdc397174950b2ca97954647d7

SHA1
faacc60869406e6684c2677d011ae44ffc9e6560

SHA256
7a51ec6d019e54b3e5d106436bd4b6dfbdf2b019125fde04fd7e3376e76932c4

SHA512
a8cdb76abe275a0b8523ca96aa0b1aebb80766ba4a00978636ad18c6400bc87cf28871fe7775fbf5559dc15ec3b53eda7de9e3580cc4cd9fddf2c4fa04be16f2

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
217KB

MD5
2e31678e1bfaa6c57d39581bd61d72d5

SHA1
7022678c4ef09d8f06c73a784ba20d98add0724b

SHA256
08d52bd20ab26265c8689ec5ae386f8c255bd6cdcd6d5c9bc51d2dbaab75f9db

SHA512
63b9dbc49d02f8baced161e5421150e0cf01c865d4d456671b292af5fd6496a100cb8f3ae4e7bafd19fd06e60713af8b13c457712382e6d4c33aa50d11151ff8

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
99KB

MD5
b01d0b8ff80819f81e7e9e63f41e16bd

SHA1
1d2660c12f251533c56a98254076769dfaea5860

SHA256
02cdeb214eca7baa524ffb13113bd77b815d663970cfef02456e7ae32190d520

SHA512
9d0d76a95096813128bf85735d4dd54f86d5a408cb956710ff31c6222277c23bab90ad6c2210d9dc2cbbbc000e43d4418fbca38a2c63e6c27abc95b3203276af

Download Submit
C:\Windows\SysWOW64\AcLayers.exe

Filesize
106KB

MD5
3c8228d539ff22e2bb70e5e8d3fd1d6a

SHA1
a8520dc7e2034b127edfd7505c8731d86b658287

SHA256
8502cc13992dd2ef5edc2e7bf87b2fafee3ef612e443c56cb464b8b380147f49

SHA512
792306b8c77a3780ab521a42a8618a4b8550effa761f6b03f9a0af1e17eb85bab7e3797938571d1226bbe387ce5972be4b99302c5cbc34cbdfa4ba7b02c3e580

Download Submit
C:\Windows\SysWOW64\AcLayers.exe

Filesize
178KB

MD5
017d4d8b0ca40008ef00ecf461b07266

SHA1
5ead8cacbfb59d5bd7725b5fc628e8ab4289a192

SHA256
9d968c04bbad8f97f15ec9f4b49e1ed977b8db50ad39e93a5d3858600455bc48

SHA512
1bd26150158acbeacc26caa9b4ecca9dbba6fac634611b5e30ce6420b1678e8b13c1d083eda3ff24621f4f225304741a156b688ce11c1532589e8cbe3301e676

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
30KB

MD5
fe7ad886f398dd0e2328c0c81ae1d19d

SHA1
3577ce1f864f780cdb1dc898d4cac2204015057e

SHA256
c26145b55463c19e7517a9b67d1c184061de8f6a63572aaded1d9168d04f3241

SHA512
d2cd3ffd608b8560295f79aacbb3abab9b089ed2fd2e93653fbcca65fc1981ecb51e3c75a1b180e5cd87f2f72294e7532109d4c4ebe994ae68e4d7a258ebf403

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
64KB

MD5
af4ef404b7e54bb29e68352d00f0f3c2

SHA1
8f57a5df8de1125843a58a6a97928350c666feea

SHA256
c1484499159d426cdcd1664938f58f82741756ba233fe8084804da63bb8dc0e5

SHA512
05cbe0a5a3cb2bcdf88ddd0703dd674116e30c5b4f659c262eebdf8d7a91483c2c8cad57f8ffd07712dde055d170fcefc18cfc1818eea18065012e9bb3c2cafd

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
106KB

MD5
9b14159485c6b2980fd2452b29798ded

SHA1
c94fbe0536a3d46edc34de49a62ac3c965335bc4

SHA256
61f48dd5c482620ff676e72cef045e1a3b27f7eb5109313849f6999c1947516b

SHA512
016d34a3544d89b0fba07fec47c9ba3182f402f8cfeb8aa35ce3eb68568bfe20d994c2e3931beb91c1286b0c6825fd467bbf1b535b09e797b572111899d20b5c

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
131KB

MD5
0e01d84873e7b5269de6e59b808ab3ce

SHA1
b5a425622bd6972c42663a410d3d86376958d30f

SHA256
b0c13d9938c9b1509046b4aadd1f91054bf0a17800ff7f6cb9583b3c8489f993

SHA512
e56694f316b170bd8fbc22c18667056770dcc4662a1113a09002697547a6a81ea24df1a080ceb0cf82446d42d209f0e0dadf97f563b9af906ad087bec30091d3

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
63KB

MD5
aae7f5688c8cbaa0e34c942be8cb2b54

SHA1
9e43129604451bf6c0e0939c38319fd9d8029911

SHA256
9156bb058b3eb5daff61b096faf8924a1563ac50c2078221ea68e62bfb226af9

SHA512
aac4a4936100b42212a0e2c6a0a0bfe52e3735d4973d09d8515fe9ef430a9662ff459881a20c9fcde701e2728b5cc66aa0b6edd6278b74e47375375e4026a2b8

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
81KB

MD5
44730a1dec74d3b7ec6eed12ba1f2cc0

SHA1
edceee33018c0448dca835fd58fb41fc43834890

SHA256
72cf422cf4b88856675c74d37532437e491858b10436c16003952a948a795c38

SHA512
46b6a8da88e5bae713f4ee33be1a3a7806f07e6ad662cfeaa62b39dc0df2cd7cb0f953885f693bcd4b0844ba5738bac874f3ce1029d84fa2fb708aee32250aa8

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
183KB

MD5
f75195df8d610b4355e9a586513447c6

SHA1
0e07989d0ab059285dbdd5919c3dc7892c18f839

SHA256
146738aa2dd65bb8a0f3fb1d0d7d13f9d169621832eb1668808370c1005ee0bd

SHA512
0372e20378668d53db326069f39843ba9088d618459b84b49828311161ef34f43766f6a73fde48596df7e718e78308f747e14a259fcf6cf730730cef978a0fb6

Download Submit
C:\Windows\SysWOW64\ActivationClient.exe

Filesize
238KB

MD5
94959436f4beffaa7e644e37aefba16b

SHA1
241fe86732e92ad4253d2d5220cf3e12a3d9b219

SHA256
b560e842f41f89a2d6e77b9c12133191d3105e14e783558292e18f36812673f3

SHA512
53d1bfe696c5938c86443608c849eef6a375b45c389790af8273772e9af0b36fdfa3c84c319fe1ea69541146d290ed2843308f9708f8c48924b9e2da773f81d6

Download Submit
C:\Windows\SysWOW64\AddressParser.exe

Filesize
196KB

MD5
96a9c67fb84d23f1c8e06102ee94e5a6

SHA1
a7c79e60b20f5d5237ce677131b1fdc96e02e2b2

SHA256
6ff942bb36144dbed85f478c985a90ad199312a5804bc901de445c9ae94c6bd9

SHA512
5b6cf96b04dd62ae2c1266084847b9cd7f59a085d9da568d5beb53c91112bcaf23e00354aeac42eed34819c389994093522937fdd4e36ebdf0462e788e9f8870

Download Submit
C:\Windows\SysWOW64\AppExtension.exe

Filesize
196KB

MD5
da979c8021c26a9335dc25c92adc620d

SHA1
675ff822ea40711a9672fa5572e61ed831f3c6c2

SHA256
bd782f2c52ccf2406f4ff512a212365674cce95e1ecd0af7536593a604a3d55e

SHA512
c5c9f20b5a165b843a0e4adc43dbb1701a95046b36c0e91a79b0b56d7d025383a8daeb935c083daa3569e526f94c861ab8e65ed2b21475bd92fe1c58236f4578

Download Submit
C:\Windows\SysWOW64\AppExtension.exe

Filesize
103KB

MD5
a1241f1f4b0f1787cc7689a0a9135519

SHA1
8fa2015479e5c89d8243dbf4e877a4bc5b69dbc1

SHA256
86f665f1cf3bdad9fce6ea5ac5860df9007353efc0d0bc4ab2fa7c240f128047

SHA512
3cbe2253713efe87760785d3d7a483bd99b4fb69eb35988cc77a30e596fcee086747c23e2ffc5dcf640d8fa10db9fc3474e26dedfc29e0fbf10a47b8b82460e0

Download Submit
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe

Filesize
105KB

MD5
aa78175bc6686ea7281a1f86b8193405

SHA1
c2ffdf13b385f7feea161885f3d09ecec4c4f850

SHA256
623fb60bf7ab28804773c7afa5ddd3c062cb7d875fb2495140f8d1b63e914c5a

SHA512
598e3a4f46f442090399670b16ebf7d11a62dedfa28ff9cf84f30794361817d38cacaa3bc30e67263d58e8d403794f7f48fa7421268b811110c268fa6fd44a26

Download Submit
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe

Filesize
111KB

MD5
91aaa5412f9b1a4e0cb7dfc1976e3244

SHA1
d0b9467dacd7e28a80e4d65bdb52b3041192231d

SHA256
bfc5a3e3877b6af5b26362dc3cd3a1f73719d899150f1f35dd8e47488edbbb29

SHA512
a4c0525d02f78f7e3b48a00fc86491e8b51af1d73f5b434ecdb5e0ae7190ea14c483efb7bc8bacf0ed2413a43423dde922c48ca7d451090205f741b75e484088

Download Submit
C:\Windows\SysWOW64\aadWamExtension.exe

Filesize
186KB

MD5
039f6547e667198df2ca196a5f906697

SHA1
aa14447140d5c72241c20e040c9a02b0c1e88204

SHA256
8c1fbc17c03255bef48607b9c73393e76494a0bfae6869543f93b9a56d6f3356

SHA512
2d3f2faca0466db54fd4b14f5107a4c43a75f3f8ac27679b604254704bb79174b51f9cf80d40280cbcab6398b454c5f1e0a8258d352d4466a1138d574e2920e4

Download Submit
C:\Windows\SysWOW64\aadWamExtension.exe

Filesize
165KB

MD5
8d94fe8961f88bb847d9df353f178299

SHA1
aad21ddaec96c166aefc870685f6db0c896a18f6

SHA256
8b2ee9332de2e789d998c085e02b85abb4cbf0fcef3f679575e977d5ff8d937b

SHA512
a9173fb6ba9f1bc979983e580143815a1b3a024bef35d608733a06d4cb628fa2739712113b043d3a2055a4c31d7cd64dc83a70e6b88abf25fb4cc6d003e3e14c

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
157KB

MD5
75676c104c26444038628474d40127ff

SHA1
401aad8fa7f514e5fbb3520becd1efa6a74e3197

SHA256
3355b0b549f8ddf9706d8df8b16e2b506b3ec8a6da9292a1bae088e386677a51

SHA512
a0ae0ce21fc08c4dc47e1060b2bef62ed4e3ceb57f9043384b28f24a4dd8208a01e682a0721fd1aed4c67d9fced95608946a6be1821104743bfe46e4643ca06e

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
72KB

MD5
c2692122776dfe0639698d1b6dd6eabb

SHA1
1a525a0492cdbee42c7e22ed6d84da6424f2661f

SHA256
d540c2fb149787393f974842efbc40b34051d9d52706dcc4df02f05d48f758a0

SHA512
2eb3abf61608d5e2e12ee7ae54104a04d5465783257a4b9d6c8915ff1d445b0122ae5c83f4694bb61a4419a62576851f8321444b170ea1e1b7d8c57d396eb43d

Download Submit
C:\Windows\SysWOW64\aadtb.exe

Filesize
260KB

MD5
3c2305a81ea7982c9938bc6984a0a76a

SHA1
183d44ebcb96481ddf42fd17d248a8246454c1b9

SHA256
57b19b1f6f16805c82132eb854cf20bea40e715258661c9ac08d02edf5d07446

SHA512
ba50bfc3614b58cd857e008f909e3a445f2ed0e66944e139f589ea22fdcba6913e2b58dea8424e139d9c2090bef090200b20a3fcfc069d9695204911b24c38a0

Download Submit
C:\Windows\SysWOW64\aadtb.exe

Filesize
250KB

MD5
50c8279a3ba5bc9ef71be963ff36c658

SHA1
ced82cc0f286e2e55ecee6c90709d8707045a231

SHA256
fb04a6049c2ca3bd3510aa8bab5e543ef5b63272408630c8af924d760718709a

SHA512
1cd62c7aa12fb60f672c940e7286e9d82a1786419bd39e021ed262abecf6174a100725cac7ae60e0241de5c0ca8c7fdb96ddf7be0d6998ba1e60f7c1b594ca88

Download Submit
C:\Windows\SysWOW64\accountaccessor.exe

Filesize
132KB

MD5
7300fcfce677bb923c9a0968b21b4186

SHA1
4257f0738a67106b1340cfd17999d71091f77bbd

SHA256
f5841e15e145259db424ef655234dd91ff50a230c3e22c0b7e782a4df8516b44

SHA512
e1fc49c10ca80339afd6df0fcc3e279395b03260f56688f5723c4bb269264feee24f561627ee728b0b4790bfe36cb6b6ac339c7190ecaaa654bf6f560ce8ff9f

Download Submit
C:\Windows\SysWOW64\accountaccessor.exe

Filesize
251KB

MD5
819b5755826e722c9b648d0a69931e05

SHA1
b1835886b5130c8d18decc9d42cc5cb7f7c7ab84

SHA256
3091fbcb145255d3fdf263f865177358723915940d5c47f1fe943318a977c2df

SHA512
ed026bc5720f7035d12f113f39b31a023b8e977532ed2c4a6728e648c01b1147c8f8affb2c11334af1a6f00a8321ddbfe04a3cfc4487e51670baeacdc96ec801

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
294KB

MD5
018df191f0db6e21907cc999d9f6467c

SHA1
1557261aa56ecd7f355f104b80ad8ad2f620eee2

SHA256
08dad3498c2ab4855eac9c9324fca017308b5aa1bc573c95c37148b4ed89f08d

SHA512
2e440a1d343981a457e6ca0459b67c8be574173f49f90e72530de8c8f36727c322d3136d39b2dac0ea78fe2b6a889bc0c1d889939917cf11916b79e8b610b955

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
61KB

MD5
cfa4e690fa5ed533b10d5b69ec43fde3

SHA1
a8ba2482f5fe5ce07d227a3771ddb21d38d425f2

SHA256
97c622f61f42fdad6017cf97571ce282e9e541a8e78c490ca3edfcc006184a2d

SHA512
96ee42a323c72a173d4fd9a307623584fac0a2e952edc361280ebcf8d5b9c869cb8f48d6442789b43f6b69647a319d7ec24c2923f4d41212ae7dfbe4e4e5e6e2

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
83KB

MD5
1bb2a370701a20f48b2d33a33c090679

SHA1
cfe5ed1096b874b259c76672b74d5dd532aa702f

SHA256
efe5a706a629b1508499b3b433fe571ee4d02652f55d10a3743a57cef2ce4373

SHA512
fa2cbd10af00f1488b7a467c040de162d05d0f45aaca72540ce250afdf87ee6e6debcad6202948672c6b3838d098fb0bde948de5d06156288b1511f545cd4378

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
61KB

MD5
e6c5858d9150f7e9c3634b4a0bc0c3d6

SHA1
46c7c2f2b861e91262465c286a9c516046994ef6

SHA256
e61788868fc02c19aa890457c6fd3e48abac84e0d01f68d405e3ad0a9a75e4c3

SHA512
edcaeef8b39f28bea0408b229f02862113e45288492b6c23a423498a65d2474d14f6d4b5d0a936ff379a7a5a108dd522715ecb8a865248afa46857b6e97760d4

Download Submit
C:\Windows\SysWOW64\activeds.exe

Filesize
102KB

MD5
41246d5a162110d1fec843b27f7a0a8b

SHA1
2857eb7f3c5e29a7f859070f76588c793a9f6150

SHA256
c1e8c494e0e159fe961af6ccb4a22317cff5005d487ab851605a7e353b41ce72

SHA512
d237dffca4b07d07a1ea7fe7bdd4238d3c8ed6e67fb30e8e7e2ab674d792ae82050d1e086860f08b42583fb77bc7477c152e5b162c66fc453f5e304960923363

Download Submit
C:\Windows\SysWOW64\adrclient.exe

Filesize
169KB

MD5
f0bcf67da8d3e27c59934d2aac8449dd

SHA1
ef9012ba57c50131408bb6a6596a65694fbbdc57

SHA256
9b76e2415d9243ff6b50628d6a2101ba3f56ef7d82e2c4cc574c27e2fb889be3

SHA512
7bad93801ace50c45d9059d693bdcaeaf278577cf60dfa42e009f6d48e1522fab800d5b7e5afa88564d4f7ef8ba5435e7448fdea3683477e83914f7939a35f26

Download Submit
C:\Windows\SysWOW64\adrclient.exe

Filesize
149KB

MD5
c9cbf53d55c8ee06665d549f364c4607

SHA1
b9851785b34f0f6a3da5b61209912501527443b6

SHA256
a8e6ddb58893d36adc1f5207f221b636646c91d0bae043e6d2b61c0d1b590b0b

SHA512
371cf9f5304bda0dfa802bcee1bce95fb64e3449f37ae0e2c8c28734415087294b77eac48cb6ecf22576952fa829ce4745a8e94b6615b7d3e6005e7bcf18d2df

Download Submit
C:\Windows\SysWOW64\altspace.exe

Filesize
39KB

MD5
ad78ac8a1ac7cdaadbec041fbd7a61af

SHA1
b2c16ba7bec91c82de805a14bfee7d4756e34c07

SHA256
7fcbf00601b292d3689e006335c491415be7317d5fbb4ef2091deeedf235fa1b

SHA512
8c1b901017cc9077535f06a0b2473be0bcbe7c41fce985eede665a0a7450721df7bbaed7fbce110292ae7c5081390c9c7de8bee3725ed5e04b84c99f32edb824

Download Submit
C:\Windows\SysWOW64\altspace.exe

Filesize
30KB

MD5
b24a4beae8ee4aab97354086d506eeaa

SHA1
ed570675fe41a40aa5c92aa44ef5a98f9b859a5c

SHA256
f1ec7874968d2bca73fa7eb4e78b928432d7902779b65e0b5a2324d7a7adfdc8

SHA512
51f7e17b38a4e9b0349031991e0cb5f82f7d7c605a0425192eb79be75817e263978f5a0aafc3fa7457dcf41eef5bbb0b1c2e2ff21b00c0f883d9b3449dfb3669

Download Submit
memory/332-207-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/332-198-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/716-136-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/716-128-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/760-309-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/760-308-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/888-303-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/888-313-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/940-267-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/940-279-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1136-264-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1136-255-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1364-57-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1364-49-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1460-301-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1620-162-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1620-172-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1656-168-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1656-169-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1656-179-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1700-261-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1700-248-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1804-294-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1804-310-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1804-293-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1816-246-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1816-234-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1928-237-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1928-225-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1948-51-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1948-42-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1984-96-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1984-87-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2044-153-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2044-170-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2084-134-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2084-121-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2096-55-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2096-64-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2300-114-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2300-125-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2768-81-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2768-89-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2848-252-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2848-242-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2980-77-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2980-69-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2996-186-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2996-177-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3192-240-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3192-230-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3220-37-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3220-27-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3584-219-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3584-235-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3624-270-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3624-258-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3676-193-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3676-184-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3724-30-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3724-21-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3788-157-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3788-147-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3856-62-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3856-71-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3916-107-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3916-116-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4020-141-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4020-150-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4140-2-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4140-1-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4140-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4140-14-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4256-102-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4256-94-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4308-8-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4308-15-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4324-44-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4324-35-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4388-83-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4388-75-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4412-288-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4412-278-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4520-222-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4520-211-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4632-284-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4632-297-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4684-143-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4752-204-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4752-214-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4804-190-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4804-200-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4880-272-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4880-285-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5012-110-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5012-100-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5020-23-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download